CVE-2021-22942
Description
A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Action Pack's Host Authorization middleware in Rails ≥6.0.0 has an open redirect flaw via crafted X-Forwarded-Host headers when allowed hosts include a leading dot.
Vulnerability
CVE-2021-22942 is an open redirect vulnerability in the Host Authorization middleware of Action Pack (Ruby on Rails). Affected versions are Rails 6.0.0 through 6.0.4.1, 6.1.0 through 6.1.4.1, and 7.0.0.rc1. The middleware fails to properly validate specially crafted X-Forwarded-Host headers when the application's config.hosts includes entries with a leading dot (e.g., '.EXAMPLE.com'). This allows bypassing host authorization checks [1][2][3].
Exploitation
An attacker must be able to send HTTP requests to the Rails application and inject a malicious X-Forwarded-Host header. The application must have configured config.hosts with a leading dot (e.g., config.hosts << '.example.com'). When a request with a crafted X-Forwarded-Host header (e.g., evil.com) reaches the middleware, the malicious host is allowed because the leading dot pattern is misparsed, causing a redirect to the attacker-controlled domain [3].
Impact
Successful exploitation leads to an open redirect. An attacker can redirect users to a malicious website, enabling phishing attacks or credential theft. The vulnerability does not directly lead to code execution or data disclosure, but it can be used as a stepping stone for social engineering attacks [1][2]. The redirect occurs at the application level, appearing to come from a trusted Rails application.
Mitigation
Rails has released fixed versions: 6.0.4.2, 6.1.4.2, and 7.0.0.rc2 [3]. Users should upgrade immediately. As a workaround, avoid using leading dots in config.hosts entries. No public KEV listing exists for this CVE at this time [2]. If upgrade is not possible, applications can implement custom host validation to reject unexpected redirects.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionpackRubyGems | >= 6.0.0, < 6.0.4.1 | 6.0.4.1 |
actionpackRubyGems | >= 6.1.0, < 6.1.4.1 | 6.1.4.1 |
Affected products
3- Action Pack/Action Packdescription
- ghsa-coords2 versions
>= 6.0.0, < 6.0.4.1+ 1 more
- (no CPE)range: >= 6.0.0, < 6.0.4.1
- (no CPE)range: < 6.0.4.4-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-2rqw-v265-jf8cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-22942ghsaADVISORY
- www.debian.org/security/2023/dsa-5372ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2021/12/14/5ghsamailing-listWEB
- access.redhat.com/security/cve/cve-2021-22942ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.ymlghsaWEB
- groups.google.com/g/rubyonrails-security/c/wB5tRn7h36cghsaWEB
- rubygems.org/gems/actionpackghsaWEB
- security.netapp.com/advisory/ntap-20240202-0005ghsaWEB
- weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-releasedghsaWEB
- security.netapp.com/advisory/ntap-20240202-0005/mitre
- weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/mitre
News mentions
0No linked articles in our index yet.