XSS injection via malicious filename in Rack::Directory.

jeremyevans · ioquatix · commit ed0f455074f9 · 2026-02-16T16:09:05.000+13:00
Without this, if the file started with a URL scheme, it would not
be treated as a relative link.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## Unreleased
+
+### Security
+
+- [CVE-2026-25500](https://github.com/advisories/GHSA-whrj-4476-wvmp) XSS injection via malicious filename in `Rack::Directory`.
+
 ## [3.1.19] - 2025-11-03
 
 ### Fixed
diff --git a/lib/rack/directory.rb b/lib/rack/directory.rb
@@ -17,7 +17,7 @@ module Rack
   # If +app+ is not specified, a Rack::Files of the same +root+ will be used.
 
   class Directory
-    DIR_FILE = "<tr><td class='name'><a href='%s'>%s</a></td><td class='size'>%s</td><td class='type'>%s</td><td class='mtime'>%s</td></tr>\n"
+    DIR_FILE = "<tr><td class='name'><a href='./%s'>%s</a></td><td class='size'>%s</td><td class='type'>%s</td><td class='mtime'>%s</td></tr>\n"
     DIR_PAGE_HEADER = <<-PAGE
 <html><head>
   <title>%s</title>
diff --git a/test/spec_directory.rb b/test/spec_directory.rb
@@ -46,7 +46,7 @@ def setup
 
     res.must_be :ok?
     assert_includes(res.body, '<html><head>')
-    assert_includes(res.body, "href='cgi")
+    assert_includes(res.body, "href='./cgi")
   end
 
   it "serve directory indices" do
