CVE-2026-32762
Header Injection Vulnerability in Rack Forwarded Header Parsing
Publication date: 2026-04-02
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rack | rack | From 3.0.0 (inc) to 3.1.21 (exc) |
| rack | rack | From 3.2.0 (inc) to 3.2.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-436 | Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to smuggle spoofed values for host, proto, for, or by parameters through a single Forwarded header, potentially leading to host or scheme spoofing. Such spoofing can impact password reset links, redirects, absolute URL generation, logging, IP-based access controls, or backend requests.
Because these impacts can affect the integrity and accuracy of request metadata and logging, organizations subject to compliance standards like GDPR or HIPAA may face challenges ensuring data integrity, accurate access controls, and reliable audit trails if this vulnerability is exploited.
Mitigation involves upgrading to patched versions of Rack and avoiding reliance on untrusted Forwarded headers, which helps maintain compliance by ensuring that request metadata and logging are accurate and trustworthy.
Can you explain this vulnerability to me?
CVE-2026-32762 is a moderate severity vulnerability in the RubyGems package "rack" affecting certain versions before 3.1.21 and 3.2.6. The issue arises because the method Rack::Utils.forwarded_values incorrectly parses the RFC 7239 Forwarded HTTP header by splitting on semicolons before handling quoted-string values. Since quoted values may legally contain semicolons, this causes Rack to interpret a single quoted value as multiple separate Forwarded directives.
This parsing discrepancy allows an attacker to smuggle or inject spoofed parameters such as host, proto (scheme), for, or by within a single Forwarded header. Applications relying on these values for request metadata may be tricked into using attacker-controlled values, leading to host or scheme spoofing.
How can this vulnerability impact me? :
This vulnerability can impact applications by allowing attackers to spoof critical request metadata such as the host, scheme, or client IP address. This can affect password reset links, redirects, absolute URL generation, logging, IP-based access controls, or backend requests.
The practical impact depends on the deployment architecture, especially where upstream proxies or intermediaries validate or preserve Forwarded headers differently than Rack. If an attacker can inject spoofed values, they may manipulate how the application interprets request origins or destinations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper parsing of the RFC 7239 Forwarded HTTP header by Rack, which can be detected by inspecting HTTP requests for suspicious Forwarded headers containing quoted strings with semicolons.
To detect potential exploitation attempts on your network or system, you can monitor HTTP traffic for Forwarded headers that include semicolons inside quoted strings, such as: Forwarded: for="127.0.0.1;host=evil.com;proto=https".
Commands to help detect this might include using network traffic capture and inspection tools like tcpdump or Wireshark to filter HTTP headers, or using command-line tools like curl or grep on server logs to search for suspicious Forwarded headers.
- Use tcpdump to capture HTTP traffic and filter for Forwarded headers: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i Forwarded
- Search web server logs for Forwarded headers containing semicolons inside quotes: grep -i 'Forwarded:.*".*;.*"' /var/log/nginx/access.log
- Use curl to send crafted Forwarded headers and observe application behavior for testing: curl -H 'Forwarded: for="127.0.0.1;host=evil.com;proto=https"' http://yourserver/
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the Rack Ruby gem to a patched version: 3.1.21 or later in the 3.1.x series, or 3.2.6 or later in the 3.2.x series.
Additional immediate steps include avoiding trusting client-supplied Forwarded headers unless they are normalized or regenerated by trusted proxies.
It is recommended to strip inbound Forwarded headers at the edge of your network and reconstruct them from trusted metadata sources.
Security-sensitive operations should avoid relying on request metadata such as req.host, req.scheme, req.base_url, or req.url unless the forwarding chain is explicitly trusted and validated.