Researchers discovered three vulnerabilities in Rack, a Ruby web server interface, that expose files and distort log data. OPSWAT identified these vulnerabilities as CVE-2025-27610, CVE-2025-27111, and CVE-2025-25184, all affecting how Rack handles file paths. The most severe, CVE-2025-27610, can allow attackers to access sensitive files and trigger data breaches under specific conditions. This flaw exists because Rack::Static fails to sanitize user paths, especially when the :root directory is misconfigured.
Attackers can exploit these weaknesses by crafting malicious paths and injecting CRLF sequences to manipulate system logs.
Without proper neutralization, attackers can distort log entries and hide their activity, masking malicious access attempts. Organizations using Rack should upgrade immediately or limit exposure by configuring static file directories properly. Removing Rack::Static or isolating public files can help prevent unauthorized access in the absence of patches.
In a separate issue, Infodraw Media Relay Service (MRS) has a critical vulnerability tracked as CVE-2025-43928. This path traversal bug allows attackers to read or delete any system file by misusing the username parameter. The flaw affects both Linux and Windows, and unpatched systems in Belgium and Luxembourg were taken offline.
Infodraw’s surveillance devices are widely used by law enforcement and transportation networks across several countries.
Security researcher Tim Philipp Schäfers warned that exploitation is likely due to the flaw’s trivial nature and no vendor patch. He urges organizations to disconnect vulnerable systems or restrict access using VPNs or IP allowlists immediately. Despite disclosure, Infodraw has not released a fix, raising concern about public safety and data security. Preventive actions are critical, as the vulnerability allows unauthenticated users to access or destroy vital system files.
