CVE-2026-34835
ADVISORY - githubSummary
Summary
Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed.
For example, a check such as req.host.start_with?("myapp.com") can be bypassed with Host: myapp.com@evil.com, and a check such as req.host.end_with?("myapp.com") can be bypassed with Host: evil.com/myapp.com.
This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation.
Details
Rack::Request parses the authority component using logic equivalent to:
AUTHORITY = /
\A
(?<host>
\[(?<address>#{ipv6})\]
|
(?<address>[[[:graph:]&&[^\[\]]]]*?)
)
(:(?<port>\d+))?
\z
/x
The character class used for non-IPv6 hosts accepts nearly all printable characters except [ and ]. This includes reserved URI delimiters such as @, /, ?, and #, which are not valid hostname characters under RFC 3986 host syntax.
As a result, values such as the following are accepted and returned through req.host:
myapp.com@evil.com
evil.com/myapp.com
evil.com#myapp.com
Applications that attempt to allowlist hosts using string prefix or suffix checks may therefore treat attacker-controlled hosts as trusted. For example:
req.host.start_with?("myapp.com")
accepts:
myapp.com@evil.com
and:
req.host.end_with?("myapp.com")
accepts:
evil.com/myapp.com
When those values are later used to build absolute URLs or enforce origin restrictions, the application may produce attacker-controlled results.
Impact
Applications that rely on req.host, req.url, or req.base_url may be affected if they perform naive host validation or assume Rack only returns RFC-valid hostnames.
In affected deployments, an attacker may be able to bypass host allowlists and poison generated links, redirects, or origin-dependent security decisions. This can enable attacks such as password reset link poisoning or other host header injection issues.
The practical impact depends on application behavior. If the application or reverse proxy already enforces strict host validation, exploitability may be reduced or eliminated.
Mitigation
- Update to a patched version of Rack that rejects invalid authority characters in
Host. - Enforce strict
Hostheader validation at the reverse proxy or load balancer. - Do not rely on prefix or suffix string checks such as
start_with?orend_with?for host allowlisting. - Use exact host allowlists, or exact subdomain boundary checks, after validating that the host is syntactically valid.
Common Weakness Enumeration (CWE)
Improper Validation of Syntactic Correctness of Input
Improper Validation of Syntactic Correctness of Input
Improper Validation of Syntactic Correctness of Input
GitHub
2.2
CVSS SCORE
4.8medium| Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
|---|---|---|---|---|---|
| rack | gem | - | - | >=3.2.0,<3.2.6 | 3.2.6 |
| rack | gem | - | - | >=3.0.0.beta1,<3.1.21 | 3.1.21 |
CVSS:3 Severity and metrics
The CVSS metrics represent different qualitative aspects of a vulnerability that impact the overall score, as defined by the CVSS Specification.
The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared physical (e.g., Bluetooth or IEEE 802.11) or logical (e.g., local IP subnet) network, or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN to an administrative network zone). One example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment (e.g., CVE-2013-6014).
A successful attack depends on conditions beyond the attacker's control, requiring investing a measurable amount of effort in research, preparation, or execution against the vulnerable component before a successful attack.
The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
The vulnerable system can be exploited without interaction from any user.
An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.
There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the impacted component.
Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact on the impacted component.
There is no impact to availability within the impacted component.
NIST
2.2
CVSS SCORE
4.8mediumDebian
-
Ubuntu
-
CVSS SCORE
N/AmediumRed Hat
2.2
CVSS SCORE
4.8mediumminimos
MINI-2wff-rm7x-5hhg
-
minimos
MINI-c78r-gmcp-8jg2
-
minimos
MINI-fxmj-rmp7-gw8q
-
minimos
MINI-pfq4-7ghw-xf4m
-
minimos
MINI-rfg4-7hqj-6mwx
-