HTTP Header Vulnerability in Ruby on Rails
CVE-2023-28362

Currently unrated

Key Information:

Vendor: Rails
Status: Action Pack
Vendor: CVE Published:; 9 January 2025

What is CVE-2023-28362?

The redirect_to method in Ruby on Rails permits user-supplied values that may include illegal characters in HTTP header values. This flaw can lead to issues where downstream services, which enforce adherence to RFC standards for HTTP response headers, may strip the assigned Location header. As a result, this vulnerability can expose applications to potential exploitation, impacting the integrity of redirect operations.

Affected Version(s)

Action Pack 7.0.5.1

Action Pack 6.1.7.4

References

https://discuss.rubyonrails.org/t/cve-2023-28362-possible...

https://github.com/advisories/GHSA-4g8v-vg43-wpgf

https://github.com/rails/rails/commit/1c3f93d1e90a3475f9a...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 9, 2025
Vulnerability Reserved
Mar 15, 2023