Moderate severityNVD Advisory· Published Aug 29, 2011· Updated Apr 29, 2026

CVE-2011-3186

Description

CRLF injection in Ruby on Rails 2.3.x via Content-Type header allows HTTP response splitting.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CRLF injection in Ruby on Rails 2.3.x via Content-Type header allows HTTP response splitting.

Vulnerability

CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers via the Content-Type header [1]. The vulnerability exists because the framework fails to sanitize newline characters in the Content-Type header before constructing the HTTP response.

Exploitation

An attacker can send a specially crafted HTTP request with a Content-Type header containing CRLF sequences (\r\n) followed by arbitrary header lines. No authentication is required; the attacker needs only to make a request to a Rails application running a vulnerable version [1].

Impact

Successful exploitation enables HTTP response splitting, allowing the attacker to inject arbitrary HTTP headers into the response. This can lead to cache poisoning, cross-site scripting (XSS), and session fixation attacks [1].

Mitigation

The fix was released in Ruby on Rails 2.3.13 [3]. Users should upgrade to 2.3.13 or later. No workarounds are documented for unpatched versions.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
actionpackRubyGems	>= 2.3.0, < 2.3.13	2.3.13

Affected products

Rubyonrails/Rails7 versions
cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*
ghsa-coords
pkg:gem/actionpack
Range: >= 2.3.0, < 2.3.13

Patches

11dafeaa7533

fixing response splitting problem

https://github.com/rails/railsAaron PattersonAug 16, 2011via ghsa

commit

2 files changed · +12 −1

actionpack/lib/action_controller/response.rb+2 −1 modified

@@ -64,12 +64,13 @@ def location=(url) headers['Location'] = url end
     # the character set information will also be included in the content type
     # information.
     def content_type=(mime_type)
-      self.headers["Content-Type"] =
+      new_content_type =
         if mime_type =~ /charset/ || (c = charset).nil?
           mime_type.to_s
         else
           "#{mime_type}; charset=#{c}"
         end
+      self.headers["Content-Type"] = URI.escape(new_content_type, "\r\n")
     end
 
     # Returns the response's content MIME type, or nil if content type has been set.

actionpack/test/controller/content_type_test.rb+10 −0 modified

@@ -46,6 +46,11 @@ def render_default_content_types_for_respond_to
       format.rss  { render :text   => "hello world!", :content_type => Mime::XML }
     end
   end
+  
+  def render_content_type_from_user_input
+    response.content_type= params[:hello]
+    render :text=>"hello"
+  end
 
   def rescue_action(e) raise end
 end
@@ -129,6 +134,11 @@ def test_change_for_rxml
     assert_equal Mime::HTML, @response.content_type
     assert_equal "utf-8", @response.charset
   end
+  
+  def test_user_supplied_value
+    get :render_content_type_from_user_input, :hello=>"hello/world\r\nAttack: true"
+    assert_equal "hello/world%0D%0AAttack: true", @response.content_type
+  end
 end
 
 class AcceptBasedContentTypeTest < ActionController::TestCase

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

groups.google.com/group/rubyonrails-security/msg/bbe342e43abaa78cnvdPatchWEB
www.openwall.com/lists/oss-security/2011/08/17/1nvdPatchWEB
www.openwall.com/lists/oss-security/2011/08/19/11nvdPatchWEB
www.openwall.com/lists/oss-security/2011/08/20/1nvdPatchWEB
www.openwall.com/lists/oss-security/2011/08/22/13nvdPatchWEB
www.openwall.com/lists/oss-security/2011/08/22/5nvdPatchWEB
bugzilla.redhat.com/show_bug.cginvdPatchWEB
github.com/rails/rails/commit/11dafeaa7533be26441a63618be93a03869c83a9nvdPatchWEB
github.com/advisories/GHSA-fcqf-h4h4-695mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2011-3186ghsaADVISORY
lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.htmlnvdWEB
www.debian.org/security/2011/dsa-2301nvdWEB
www.openwall.com/lists/oss-security/2011/08/22/14nvdWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2011-3186.ymlghsaWEB
groups.google.com/forum/ghsaWEB
web.archive.org/web/20150201000000*/http://secunia.com/advisories/45921ghsaWEB
secunia.com/advisories/45921nvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000