Description
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quoted Forwarded values differently, this discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. This issue has been patched in versions 3.1.21 and 3.2.6.
Published: 2026-04-02
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Host and Scheme Spoofing
Action: Apply Patch
AI Analysis

Impact

Rack, a modular Ruby web server interface, interprets the RFC 7239 Forwarded header by splitting on semicolons before processing quoted-string values. Quoted values may legitimately contain semicolons, so a single header can be read as multiple Forwarded directives instead of a single quoted value. This parsing quirk allows an attacker to smuggle host, proto, for, or by parameters into one header, causing Rack to believe the request originates from a forged host or scheme. The result is host and scheme spoofing, which can mislead applications that rely on these header values for authentication or routing.

Affected Systems

The vulnerable product is Rack. Versions from 3.0.0.beta1 up to 3.1.20, and from 3.2.0 up to 3.2.5, are affected. The issue is fixed in Rack 3.1.21 and 3.2.6.

Risk and Exploitability

The vulnerability has a CVSS score of 4.8, indicating moderate severity. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote HTTP request that includes a malicious Forwarded header to the Rack application. The attacker only needs to send a request that incorporates the forged header. Successful exploitation results in host or scheme spoofing, potentially undermining any logic that depends on these forwarded values.

Generated by OpenCVE AI on April 2, 2026 at 22:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rack to at least version 3.1.21 or 3.2.6.
  • Verify the deployed version, for example by checking the gem specification or runtime environment.
  • Restart the web application to ensure the updated Rack middleware is loaded.

Generated by OpenCVE AI on April 2, 2026 at 22:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qfgr-crr9-7r49 Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing
History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Rack
Rack rack
Vendors & Products Rack
Rack rack

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quoted Forwarded values differently, this discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. This issue has been patched in versions 3.1.21 and 3.2.6.
Title Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing
Weaknesses CWE-436
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Rack Rack
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T17:42:42.305Z

Reserved: 2026-03-13T18:53:03.533Z

Link: CVE-2026-32762

cve-icon Vulnrichment

Updated: 2026-04-02T17:42:37.595Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-02T18:16:27.730

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-32762

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:15Z

Weaknesses