Jonathan Hefner

**Name of the Vulnerable Software and Affected Versions** actionpack ruby gem versions prior to 6.1.3.2 **Description** The issue is related to the conversion of strings in config.hosts to regular expressions without proper escaping, which can lead to an open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. For example, if `config.hosts` includes a string like "sub.example.com" without a leading dot, it can permit a request with a Host header value of "sub-example.com". This vulnerability is similar to a previously known issue. **Recommendations** To resolve the issue, update the actionpack ruby gem to version 6.1.3.2 or later. For versions prior to 6.1.3.2, a monkey patch can be applied as a workaround by adding the following code to an initializer: ```ruby class ActionDispatch::HostAuthorization::Permissions def sanitize string(host) if host.start with?(".") /A(.+.)?#{Regexp.escape(host[1..-1])}z/i else /A#{Regexp.escape host}z/i end end end ``` Patches are also available for the 6.1 series.