Rack Host Header Injection Vulnerability Allowing Host Allowlist Bypass

A vulnerability in Rack's request handling has been identified, specifically in versions 3.0.0.beta1 prior to 3.1.21, and 3.2.0 prior to 3.2.6. The issue arises because Rack::Request parses the Host header with a regular expression that allows characters not permitted in RFC-compliant hostnames, such as '/', '?', '#', and '@'. This improper parsing can be exploited to bypass host validation checks in applications that use naive prefix or suffix comparisons. As a result, it may lead to host header poisoning, particularly in applications that rely on req.host, req.url, or req.base_url for generating links, handling redirects, or validating origins.

Impact

Exploiting this vulnerability can bypass host allowlists and inject malicious values into links or redirects, potentially manipulating origin-based security decisions. The actual impact varies depending on the application's handling of such injected values.

Remediation

Users are advised to update Rack to version 3.1.21 or 3.2.6, both of which address this vulnerability by rejecting invalid characters in the Host header. Additionally, enforcing strict Host header validation at the reverse proxy or load balancer can help mitigate the issue.