EUVD-2026-18423
GHSA-qfgr-crr9-7r49
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4Description
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quoted Forwarded values differently, this discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. This issue has been patched in versions 3.1.21 and 3.2.6.
Analysis
Rack::Utils.forwarded_values in Rack 3.0.0.beta1 through 3.1.20 and 3.2.0 through 3.2.5 misparses RFC 7239 Forwarded headers by splitting on semicolons before processing quoted strings, allowing attackers to inject or smuggle host, proto, for, or by parameters when an upstream proxy or WAF interprets the same header differently. The vulnerability affects request routing and protocol detection logic, enabling potential cache poisoning, host header injection, or protocol confusion attacks in architectures where intermediaries validate quoted Forwarded values inconsistently. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today