CVE-2021-22903
Description
The actionpack ruby gem before 6.1.3.2 suffers from a possible open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. This is similar to CVE-2021-22881. Strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping. This causes, for example, config.hosts << "sub.example.com" to permit a request with a Host header value of sub-example.com.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Action Pack before 6.1.3.2 has an open redirect due to improper escaping of Host header patterns in config.hosts.
Vulnerability
The actionpack Ruby gem versions 6.1.0.rc2 through 6.1.3.1 contain a possible open redirect vulnerability in the Host Authorization middleware. Since commit 9bc7ea5, strings in config.hosts that do not have a leading dot are converted to regular expressions without proper escaping [3][4]. For example, config.hosts << "sub.example.com" incorrectly permits a request with a Host header value of sub-example.com (where the dot is replaced by a hyphen) [1][3]. The vulnerability is similar to CVE-2021-22881 [1][3][4].
Exploitation
An attacker can supply a specially crafted Host header that matches the improperly-escaped regex derived from an allowed host entry [1][3]. No authentication or user interaction is required; the attacker only needs to send a malicious HTTP request to an application that uses the affected Action Pack version and has at least one config.hosts entry without a leading dot [3][4]. The middleware then permits the request, potentially redirecting the user to an attacker-controlled site if the application performs a redirect based on the Host header [1][3].
Impact
Successful exploitation allows an attacker to redirect users to a malicious website, leading to phishing, credential theft, or other social engineering attacks [1][3][4]. The attacker gains no direct code execution or data access, but the open redirect can be used to undermine the trust of application users [3].
Mitigation
The fixed version is 6.1.3.2, released on June 11, 2021 [1][3][4]. Users of 6.1.0.rc2 through 6.1.3.1 should upgrade immediately. For those unable to upgrade, a monkey patch workaround is available: override ActionDispatch::HostAuthorization::Permissions#sanitize_string to properly escape the host string [3][4]. Patches for the 6.1 series (as a git-am patch) are also provided [3][4]. Only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported; users of earlier unsupported releases should upgrade to a supported version [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionpackRubyGems | >= 6.1.0.rc2, < 6.1.3.2 | 6.1.3.2 |
Affected products
2- actionpack/actionpack ruby gemdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-5hq2-xf89-9jxqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-22903ghsaADVISORY
- discuss.rubyonrails.org/t/cve-2021-22903-possible-open-redirect-vulnerability-in-action-pack/77867ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v6.1.3.2ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22903.ymlghsaWEB
- groups.google.com/g/rubyonrails-security/c/8TxqXEtgSF0ghsaWEB
- hackerone.com/reports/1148025ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.