vulnerability

Ruby on Rails Ruby on Rails: CVE-2021-44528: URL Redirection to Untrusted Site

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:N/AC:M/Au:N/C:P/I:P/A:N)	Jan 10, 2022	Jan 17, 2022	May 6, 2026

Severity

CVSS

(AV:N/AC:M/Au:N/C:P/I:P/A:N)

Published

Jan 10, 2022

Added

Jan 17, 2022

Modified

May 6, 2026

Description

A open redirect vulnerability exists in Action Pack greater than or equal to 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

Solution

ruby-on-rails-upgrade-latest

References

CVE-2021-44528
https://attackerkb.com/topics/CVE-2021-44528
https://github.com/rails/rails/commit/0fccfb9a3097a9c4260c791f1a40b128517e7815
https://security.netapp.com/advisory/ntap-20240208-0003/
https://www.debian.org/security/2023/dsa-5372
https://euvd.enisa.europa.eu/vulnerability/EUVD-2021-2571
CWE-601
EUVD-EUVD-2021-2571

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report