CVE-2025-61780: 
Ruby vulnerability analysis and mitigation

CVE-2025-61780 affects Rack, a modular Ruby web server interface. The vulnerability was discovered and disclosed in October 2025, impacting versions prior to 2.2.20, 3.1.18, and 3.2.3. It involves an information disclosure vulnerability in Rack::Sendfile when running behind a proxy that supports x-sendfile headers (such as Nginx) (GitHub Advisory).

The vulnerability occurs when Rack::Sendfile receives untrusted x-sendfile-type or x-accel-mapping headers from a client and interprets them as proxy configuration directives. This can cause the middleware to send a 'redirect' response to the proxy, prompting it to reissue a new internal request that bypasses the proxy's access controls. The vulnerability has been assigned a CVSS v3.1 score of 5.8 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N (GitHub Advisory).

Attackers could bypass proxy-enforced restrictions and access internal endpoints intended to be protected, such as administrative pages. While the vulnerability does not allow arbitrary file reads, it could expose sensitive application routes. The vulnerability only affects systems where the application uses Rack::Sendfile with a proxy supporting x-accel-redirect, the proxy does not properly manage headers, and the application exposes endpoints returning bodies that respond to .to_path (GitHub Advisory).

Users should upgrade to Rack versions 2.2.20, 3.1.18, or 3.2.3, which require explicit configuration to enable x-accel-redirect. Alternatively, configure the proxy to always set or strip the headers using 'proxysetheader x-sendfile-type x-accel-redirect' and 'proxysetheader x-accel-mapping /var/www/=/files/'. For Rails applications, sendfile can be disabled completely by setting 'config.actiondispatch.xsendfile_header = nil' (GitHub Advisory).