VYPR
← All advisories
High severityNVD Advisory· Published Jan 1, 2022· Updated May 22, 2025

CVE-2021-41819

CVE-2021-41819

Description

CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2021-41819: Ruby's CGI::Cookie.parse mishandles security prefixes via URL decoding, enabling prefix spoofing.

Vulnerability

CVE-2021-41819 is a cookie prefix spoofing vulnerability in CGI::Cookie.parse in Ruby through 2.6.8 and in the cgi gem through 0.3.0 for Ruby 2.7 and 3.0 [1][4]. The method applied URL decoding to cookie names, which allowed an attacker to spoof the __Secure- or __Host- security prefixes that browsers use to enforce cookie attributes [4]. Affected versions include Ruby 2.6.8 and earlier, cgi gem 0.1.0 or earlier (bundled with Ruby 2.7 series prior to 2.7.5), cgi gem 0.2.0 or earlier (bundled with Ruby 3.0 series prior to 3.0.3), and cgi gem 0.3.0 or earlier [4].

Exploitation

An attacker who can control a cookie name (for example, by injecting a specially crafted cookie into an HTTP response from a subdomain or a non-secure origin) can exploit this flaw. By URL-encoding the prefix in the cookie name (e.g., __%53ecure- instead of __Secure-), the attacker can cause CGI::Cookie.parse to decode the name and treat the cookie as having a security prefix that it does not actually possess [4]. The attacker requires only the ability to set a cookie with a manipulated name; no special authentication or network position is needed beyond that necessary to inject the cookie into the victim's browser [4].

Impact

Successful exploitation allows an attacker to spoof security cookie prefixes, potentially bypassing browser-enforced security attributes such as Secure or Path. This could trick a vulnerable application into trusting a cookie as having come from a secure, host-locked origin when it did not, leading to session hijacking, cross-site request forgery, or other attacks that rely on cookie integrity [4]. The impact is limited to applications that inspect cookie prefixes to enforce security policies.

Mitigation

Ruby upstream released fixes on 2021-11-24 [4]. Users of Ruby 2.7 or 3.0 should update the cgi gem to version 0.3.1, 0.2.1, or 0.1.1 or later; alternatively, update Ruby to 2.7.5 or 3.0.3. Users of Ruby 2.6 should update Ruby to 2.6.9 (the cgi gem cannot be updated independently for that series). For Ruby 2.5 and earlier, which are end-of-life, no patch is available and upgrading to a supported Ruby version is recommended [4].

References
  1. NVD - CVE-2021-41819
  2. CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse | Ruby

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
cgiRubyGems
>= 0.3.0, < 0.3.10.3.1
cgiRubyGems
>= 0.2.0, < 0.2.10.2.1
cgiRubyGems
< 0.1.0.10.1.0.1

Affected products

46

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

15

News mentions

0

No linked articles in our index yet.