Cached redirect poisoning via X-Forwarded-Host header
Description
Ratpack versions prior to 1.9.0 are vulnerable to cache poisoning via an attacker-controlled X-Forwarded-Host header, enabling redirect hijacking.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ratpack versions prior to 1.9.0 are vulnerable to cache poisoning via an attacker-controlled X-Forwarded-Host header, enabling redirect hijacking.
Vulnerability
Ratpack versions prior to 1.9.0 are vulnerable to cache poisoning when an HTTP cache is placed in front of the server and the cache key does not include the X-Forwarded-Host header. By default, Ratpack uses an inferring PublicAddress implementation that derives the server's address from the request context, including the X-Forwarded-Host header. This allows an attacker to supply a malicious X-Forwarded-Host value to influence the server's redirect responses. Users who have configured a custom PublicAddress instance via ServerConfigBuilder::publicAddress are not affected [1][2][3].
Exploitation
An attacker must be able to send HTTP requests to a Ratpack application that is fronted by a cache that does not key on the X-Forwarded-Host header. The attacker sends a request with a crafted X-Forwarded-Host header pointing to an attacker-controlled domain. If the application issues a redirect (e.g., after a login or post request), the server's default PublicAddress will use the attacker-supplied host to construct the redirect URL. The cache stores this malicious redirect response. Subsequent requests from other users will receive the cached redirect, sending them to the attacker's site [1][2][3].
Impact
Successful exploitation results in redirect cache poisoning. An attacker can force cached redirect responses to direct users to a malicious website, enabling phishing, malware distribution, or other attacks that rely on the user trusting the redirect source. The attack does not require authentication or special privileges; only network access to the Ratpack server is needed [1][2][3].
Mitigation
The vulnerability is patched in Ratpack version 1.9.0, released on June 29, 2021. The fix includes two changes: the default PublicAddress no longer infers the address from the request context, and relative redirects are no longer absolutized (they are passed through as-is). Users unable to upgrade should configure a custom PublicAddress using ServerConfigBuilder::publicAddress to explicitly set the server's public address in production [2][3]. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.ratpack:ratpack-coreMaven | < 1.9.0 | 1.9.0 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-w6rq-6h34-vh7qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29479ghsaADVISORY
- github.com/ratpack/ratpack/security/advisories/GHSA-w6rq-6h34-vh7qghsax_refsource_CONFIRMWEB
- portswigger.net/web-security/web-cache-poisoningghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.