Rack:: Static header_rules bypass via URL-encoded paths
Published: April 02, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-34786 (NVD)
- GHSA: GHSA-q4qf-9j86-f5mh
- Vendor Advisory: https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh
GEM
SEVERITY
CVSS v3.x: 5.3 (Medium)
PATCHED VERSIONS
~> 2.2.23
~> 3.1.21
>= 3.2.6
DESCRIPTION
Summary
Rack::Static#applicable_rules evaluates several header_rules
types against the raw URL-encoded PATH_INFO, while the underlying
file-serving path is decoded before the file is served. As a result,
a request for a URL-encoded variant of a static path can serve
the same file without the headers that header_rules were intended to apply.
In deployments that rely on Rack::Static to attach security-relevant
response headers to static content, this can allow an attacker to
bypass those headers by requesting an encoded form of the path.
Details
Rack::Static#applicable_rules matches rule types such as :fonts,
Array, and Regexp directly against the incoming PATH_INFO. For example:
when :fonts
/\.(?:ttf|otf|eot|woff2|woff|svg)\z/.match?(path)
when Array
/\.(#{rule.join('|')})\z/.match?(path)
when Regexp
rule.match?(path)
These checks operate on the raw request path. If the request contains
encoded characters such as %2E in place of ., the rule may fail
to match even though the file path is later decoded and served
successfully by the static file server.
For example, both of the following requests may resolve to the same file on disk:
/fonts/test.woff
/fonts/test%2Ewoff
but only the unencoded form may receive the headers configured
through header_rules.
This creates a canonicalization mismatch between the path used for header policy decisions and the path ultimately used for file serving.
Impact
Applications that rely on Rack::Static header_rules to apply
security-relevant headers to static files may be affected.
In affected deployments, an attacker can request an encoded
variant of a static file path and receive the same file without
the intended headers. Depending on how header_rules are used,
this may bypass protections such as clickjacking defenses, content
restrictions, or other response policies applied to static content.
The practical impact depends on the configured rules and the types
of files being served. If header_rules are only used for
non-security purposes such as caching, the issue may have limited
security significance.
Mitigation
- Update to a patched version of Rack that applies
header_rulesto a decoded path consistently with static file resolution. - Do not rely solely on
Rack::Staticheader_rulesfor security-critical headers where encoded path variants may reach the application. - Prefer setting security headers at the reverse proxy or web server layer so they apply consistently to both encoded and unencoded path forms.
- Normalize or reject encoded path variants for static content at the edge, where feasible.