The vulnerability sits in Rack’s request parsing logic where the Host header is matched against an AUTHORITY regular expression that accepts characters forbidden in RFC-compliant hostnames, such as '/', '?', '#', and '@'. Apps that determine a request’s origin or generate URLs from req.host, req.url or req.base_url can inadvertently trust the attacker supplied value. Consequently, a crafted Host header can poison the host for redirects, link generation or origin validation, enabling phishing, open redirects or privilege escalation.

Ruby web applications built on the Rack framework are directly affected. Specific vulnerable releases are Rack 3.0.0.beta1 up to 3.1.20 and Rack 3.2.0 up to 3.2.5. The issue was fixed in Rack 3.1.21 and 3.2.6. Users of these versions should verify that their environment runs a patched release.

The CVSS base score of 4.8 indicates a moderate severity. Exploitation only requires that the attacker can send a custom Host header, which is trivial from any HTTP request. Because the EPSS score is unavailable and the vulnerability is not listed in CISA’s KEV, there is currently no evidence of active exploitation. However, the attack path is straightforward, and the impact can be significant for applications that rely on host allowlists for security checks, making this a low to moderate risk that should be mitigated promptly.