Cybersecurity researchers have disclosed three safety flaws within the Rack Ruby internet server interface that, if efficiently exploited, might allow attackers to realize unauthorized entry to information, inject malicious knowledge, and tamper with logs beneath sure situations.
The vulnerabilities, flagged by cybersecurity vendor OPSWAT, are listed beneath –
- CVE-2025-27610 (CVSS rating: 7.5) – A path traversal vulnerability that might be used to realize entry to all information beneath the required root: listing, assuming an attacker can decide the paths to these information
- CVE-2025-27111 (CVSS rating: 6.9) – An improper neutralization of carriage return line feeds (CRLF) sequences and improper output neutralization for logs vulnerability that might be used to govern log entries and warp log information
- CVE-2025-25184 (CVSS rating: 5.7) – An improper neutralization of carriage return line feeds (CRLF) sequences and improper output neutralization for logs vulnerability that might be used to govern log entries and inject malicious knowledge
Profitable exploitation of the failings might allow an attacker to obscure assault traces, learn arbitrary information, and inject malicious code.
“Amongst these vulnerabilities, CVE-2025-27610 is especially extreme, because it might allow unauthenticated attackers to retrieve delicate info, together with configuration information, credentials, and confidential knowledge, thereby resulting in knowledge breaches,” OPSWAT mentioned in a report shared with The Hacker Information.
The shortcoming stems from the truth that Rack::Static, a middleware that is used to serve static content material like JavaScript, stylesheets, and pictures, doesn’t sanitize user-supplied paths earlier than serving information, resulting in a situation the place an attacker can present a specifically crafted path to entry information exterior of the static file listing.
“Particularly, when the :root parameter will not be explicitly outlined, Rack defaults this worth to the present working listing by assigning it the worth of Dir.pwd, implicitly designating it as the net root listing for the Rack software,” OPSWAT mentioned.
In consequence, if the :root possibility is both undefined or misconfigured relative to the :urls possibility, an unauthenticated attacker might weaponize CVE-2025-27610 by means of path traversal methods to entry delicate information exterior the meant internet listing.
To mitigate the chance posed by the flaw, it is suggested to replace to the newest model. If quick patching will not be an possibility, it is really helpful to take away utilization of Rack::Static, or be sure that root: factors at a listing path that solely incorporates information that must be accessed publicly.
Important Flaw in Infodraw Media Relay Service
The disclosure comes as a crucial safety defect has been unearthed within the Infodraw Media Relay Service (MRS) that permits studying or deletion of arbitrary information through a path traversal vulnerability (CVE-2025-43928, CVSS rating: 9.8) within the username parameter within the login web page of the system.
Infodraw is an Israeli maker of cell video surveillance options which are used to transmit audio, video, and GPS knowledge over telecommunications networks. In accordance with the corporate’s web site, its gadgets are utilized by legislation enforcement, non-public investigations, fleet administration, and public transport in lots of nations.
“A trivial Path Traversal vulnerability permits it to learn out any file from methods for unauthenticated attackers,” safety researcher Tim Philipp Schäfers mentioned in an announcement shared with The Hacker Information. “Moreover an ‘Arbitrary File Deletion Vulnerability’ exists that permits attackers to delete any file from the system.”
The flaw, which allows login with a username like “../../../../,” impacts each Home windows and Linux variations of MRS. That mentioned, the safety defect continues to stay unpatched. Weak methods in Belgium and Luxembourg have been taken offline following accountable disclosure.
“Affected organizations are primarily suggested to take the appliance offline instantly (since, regardless of early warnings, no producer patch is on the market, and it’s thought-about attainable that the vulnerability will probably be exploited by malicious actors within the close to future),” Philipp Schäfers mentioned.
“If this isn’t attainable, methods must be additional protected with further measures (comparable to utilizing a VPN or particular IP unlocking).”
