Rack Forwarded Header Parsing Vulnerability Allows Host and Scheme Spoofing

A vulnerability exists in Rack, a Ruby web server interface, in versions 3.0.0.beta1 prior to 3.1.21 and 3.2.0 prior to 3.2.6. The issue arises in the `Rack::Utils.forwarded_values` method, which improperly parses the RFC 7239 `Forwarded` header by splitting on semicolons before addressing quoted-string values. Since quoted values can legally include semicolons, this parsing error can lead to a header being misinterpreted as multiple `Forwarded` directives instead of a single quoted value. In environments where an upstream proxy, WAF, or intermediary handles quoted `Forwarded` values differently, this can enable an attacker to smuggle `host`, `proto`, `for`, or `by` parameters through a single header value, potentially leading to host or scheme spoofing in derived request values.

Impact

Exploitation of this vulnerability can result in host or scheme spoofing, allowing attacker-controlled values to be injected into request metadata. This can affect derived URL components such as `req.host`, `req.scheme`, `req.base_url`, or `req.url`, leading to downstream security issues, especially if those values are used for sensitive operations like password resets, redirects, or logging.

Remediation

Users are advised to update Rack to version 3.1.21 or 3.2.6, where this vulnerability has been patched. It is also recommended to avoid trusting client-supplied `Forwarded` headers unless they have been normalized or regenerated by a trusted reverse proxy. Instead, strip inbound `Forwarded` headers at the edge and reconstruct them from trusted proxy metadata.