CVE-2026-32762

Name of the Vulnerable Software and Affected Versions Rack versions 3.0.0.beta1 through 3.1.20 and 3.2.0 through 3.2.5

Description The Rack web server interface is susceptible to a header parsing issue within Rack::Utils.forwarded values. The component incorrectly parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. This can lead to the misinterpretation of headers containing semicolons within quoted values as multiple directives instead of a single value. This discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. The issue arises from the method's logic, which splits the header on semicolons before parsing individual name=value pairs, deviating from RFC 7239's handling of quoted-string values. Applications relying on the Forwarded header for request metadata may be vulnerable to attacker-controlled values for host, proto, for, or related URL components, potentially leading to host or scheme spoofing.

Recommendations Update to Rack version 3.1.21 or 3.2.6 to resolve the issue. Avoid trusting client-supplied Forwarded headers unless they are normalized or regenerated by a trusted reverse proxy. Prefer stripping inbound Forwarded headers at the edge and reconstructing them from trusted proxy metadata. Avoid using req.host, req.scheme, req.base url, or req.url for security-sensitive operations unless the forwarding chain is explicitly trusted and validated.