CVE-2021-33621
Description
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HTTP response splitting vulnerability in Ruby's cgi gem allows attackers to inject malicious headers or body via untrusted user input.
Vulnerability
Overview
The cgi gem for Ruby, versions before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5, is vulnerable to HTTP response splitting [1][3]. The root cause is insufficient validation of user-supplied data when generating HTTP responses or creating CGI::Cookie objects. An attacker can inject carriage return and line feed (CRLF) sequences into the output, enabling them to split the HTTP response and inject arbitrary headers or body content [2][3].
Exploitation
Exploitation requires an application that uses untrusted user input to construct HTTP responses or CGI::Cookie objects [1]. No authentication is needed if the vulnerable endpoint is publicly accessible. The attacker can craft a malicious input containing CRLF characters, which the cgi gem fails to sanitize, leading to response splitting [3]. This attack is particularly relevant for applications that reflect user input in HTTP headers or cookie attributes.
Impact
Successful exploitation allows an attacker to perform HTTP response splitting, potentially leading to cross-site scripting (XSS), cache poisoning, or session fixation [3]. By injecting a malicious Set-Cookie header, an attacker could overwrite legitimate cookies or set arbitrary cookie attributes, compromising user sessions [2][3]. The impact is limited to applications that process untrusted input in the described manner.
Mitigation
The vulnerability is fixed in cgi gem versions 0.3.5, 0.2.2, and 0.1.0.2 [3]. Users should update to these versions or later using gem update cgi or by specifying the updated version in their Gemfile [3]. No workarounds are documented; patching is the recommended action.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cgiRubyGems | >= 0.3.0, < 0.3.5 | 0.3.5 |
cgiRubyGems | >= 0.2.0, < 0.2.2 | 0.2.2 |
cgiRubyGems | < 0.1.0.2 | 0.1.0.2 |
Affected products
66- Ruby/cgi gemdescription
- osv-coords65 versionspkg:apk/chainguard/ruby-3.0pkg:apk/chainguard/ruby-3.0-devpkg:apk/chainguard/ruby-3.0-docpkg:apk/wolfi/ruby-3.0pkg:apk/wolfi/ruby-3.0-devpkg:apk/wolfi/ruby-3.0-docpkg:bitnami/rubypkg:bitnami/ruby-minpkg:gem/cgipkg:rpm/almalinux/rubypkg:rpm/almalinux/ruby-bundled-gemspkg:rpm/almalinux/ruby-default-gemspkg:rpm/almalinux/ruby-develpkg:rpm/almalinux/ruby-docpkg:rpm/almalinux/rubygem-abrtpkg:rpm/almalinux/rubygem-abrt-docpkg:rpm/almalinux/rubygem-bigdecimalpkg:rpm/almalinux/rubygem-bsonpkg:rpm/almalinux/rubygem-bson-docpkg:rpm/almalinux/rubygem-bundlerpkg:rpm/almalinux/rubygem-bundler-docpkg:rpm/almalinux/rubygem-did_you_meanpkg:rpm/almalinux/rubygem-io-consolepkg:rpm/almalinux/rubygem-irbpkg:rpm/almalinux/rubygem-jsonpkg:rpm/almalinux/rubygem-minitestpkg:rpm/almalinux/rubygem-mongopkg:rpm/almalinux/rubygem-mongo-docpkg:rpm/almalinux/rubygem-mysql2pkg:rpm/almalinux/rubygem-mysql2-docpkg:rpm/almalinux/rubygem-net-telnetpkg:rpm/almalinux/rubygem-opensslpkg:rpm/almalinux/rubygem-pgpkg:rpm/almalinux/rubygem-pg-docpkg:rpm/almalinux/rubygem-power_assertpkg:rpm/almalinux/rubygem-psychpkg:rpm/almalinux/rubygem-rakepkg:rpm/almalinux/rubygem-rbspkg:rpm/almalinux/rubygem-rdocpkg:rpm/almalinux/rubygem-rexmlpkg:rpm/almalinux/rubygem-rsspkg:rpm/almalinux/rubygemspkg:rpm/almalinux/rubygems-develpkg:rpm/almalinux/rubygem-test-unitpkg:rpm/almalinux/rubygem-typeprofpkg:rpm/almalinux/rubygem-xmlrpcpkg:rpm/almalinux/ruby-irbpkg:rpm/almalinux/ruby-libspkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/ruby2.5&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Proxy%204.2pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Server%204.2
< 3.0.5-r0+ 64 more
- (no CPE)range: < 3.0.5-r0
- (no CPE)range: < 3.0.5-r0
- (no CPE)range: < 3.0.5-r0
- (no CPE)range: < 3.0.5-r0
- (no CPE)range: < 3.0.5-r0
- (no CPE)range: < 3.0.5-r0
- (no CPE)range: >= 2.7.0, < 2.7.7
- (no CPE)range: >= 2.7.0, < 2.7.7
- (no CPE)range: >= 0.3.0, < 0.3.5
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.1.4-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 0.4.0-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 0.4.0-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.0.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 4.8.1-1.module_el8.5.0+117+35d1289b
- (no CPE)range: < 4.8.1-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.2.24-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 1.16.1-4.module_el8.5.0+2625+ec418553
- (no CPE)range: < 1.2.0-111.module_el8.9.0+3635+c6f99506
- (no CPE)range: < 0.5.6-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 1.2.6-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.3.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 5.13.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 0.5.3-1.module_el8.4.0+2399+4e3a532a
- (no CPE)range: < 0.5.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 0.2.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.1.4-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 1.1.7-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.1.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 13.0.1-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.7.0-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 6.2.1.1-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.2.5-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 0.2.9-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 3.1.6-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.1.6-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.3.4-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 0.21.3-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 0.3.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.5.9-111.module_el8.9.0+3635+c6f99506
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
20- github.com/advisories/GHSA-vc47-6rqg-c7f5ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBX/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZD/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVAS/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2021-33621ghsaADVISORY
- security.gentoo.org/glsa/202401-27ghsavendor-advisoryWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2021-33621.ymlghsaWEB
- hackerone.com/reports/1204695ghsaWEB
- lists.debian.org/debian-lts-announce/2023/06/msg00012.htmlghsamailing-listWEB
- lists.debian.org/debian-lts-announce/2024/09/msg00000.htmlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBXghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZDghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVASghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DQR7LWED6VAPD5ATYOBZIGJQPCUBRJBXghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/THVTYHHEOVLQFCFHWURZYO7PVUPBHRZDghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YACE6ORF2QBXXBK2V2CM36D7TZMEJVASghsaWEB
- security.netapp.com/advisory/ntap-20221228-0004ghsaWEB
- www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621ghsaWEB
- security.netapp.com/advisory/ntap-20221228-0004/mitre
- www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/mitre
News mentions
0No linked articles in our index yet.