Cybersecurity researchers have disclosed critical vulnerabilities in two widely used systems: the Rack Ruby web server interface and the Infodraw Media Relay Service (MRS). Both flaws expose systems to potential attacks, including unauthorized file access, malicious data injection, and even system compromise. These vulnerabilities, if exploited, could result in severe security breaches.
Critical Vulnerabilities in Rack Ruby Web Server
The Rack Ruby web server interface is facing three significant security flaws that could allow attackers to exploit sensitive information or inject harmful data. The vulnerabilities, identified by cybersecurity vendor OPSWAT, are as follows:
- CVE-2025-27610 (CVSS score: 7.5) – A path traversal vulnerability that could allow an attacker to access any file located within the specified root directory, provided the attacker can determine the paths to those files.
- CVE-2025-27111 (CVSS score: 6.9) – An improper neutralization of carriage return line feeds (CRLF) sequences and improper output neutralization for logs, allowing attackers to manipulate log entries.
- CVE-2025-25184 (CVSS score: 5.7) – Similar to the previous flaw, this vulnerability allows attackers to inject malicious data and distort log files using CRLF sequence manipulation.
The most critical vulnerability, CVE-2025-27610, is especially concerning. It could enable unauthenticated attackers to retrieve sensitive files, such as configuration settings, credentials, and confidential data, potentially leading to data breaches. This flaw stems from a misconfiguration in Rack::Static, a middleware used to serve static content (like JavaScript and images). If the :root parameter is not explicitly defined, the server defaults to the current working directory, inadvertently exposing it to attack.
Attackers can exploit this vulnerability by manipulating file paths outside of the static file directory, gaining unauthorized access to sensitive data. To mitigate this risk, users are advised to update to the latest version of the server or remove the use of Rack::Static. If the :root parameter must be used, it should point to a secure directory containing only publicly accessible files.
Infodraw Media Relay Service Exposes Sensitive Systems
In a separate disclosure, a critical vulnerability in the Infodraw Media Relay Service (MRS) has been identified. MRS, an Israeli surveillance solution used for video and GPS data transmission, is plagued by a path traversal vulnerability (CVE-2025-43928, CVSS score: 9.8). This flaw allows unauthenticated attackers to read or delete arbitrary files on vulnerable systems.
The vulnerability resides in the username parameter on the login page of MRS, enabling attackers to manipulate the parameter (e.g., “../../../../”) to traverse the file system and gain unauthorized access to files. This flaw impacts both Windows and Linux versions of MRS, leaving users vulnerable to file manipulation.
Furthermore, an arbitrary file deletion vulnerability exists, allowing attackers to delete critical files from the system, potentially disrupting operations. Researchers have reported that this vulnerability remains unpatched, with affected systems in Belgium and Luxembourg already taken offline following responsible disclosure.
Security researcher Tim Philipp Schäfers warned that, due to the lack of an available patch, organizations relying on the Infodraw MRS should immediately take the application offline. If this is not feasible, additional protective measures, such as using a VPN or IP restrictions, should be implemented to minimize the risk of exploitation.
Both the Rack Ruby web server and Infodraw Media Relay Service are facing serious security risks that could lead to data breaches, system tampering, and unauthorized access. Users of these systems are urged to apply patches or take immediate precautions to secure their environments. As these vulnerabilities continue to be exploited in the wild, rapid mitigation is critical to preventing further damage.
