GHSA-QFGR-CRR9-7R49 Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing

Summary Rack::Utils.forwardedvalues parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header such as: http Forwarded: for="127.0.0.1;host=evil.com;proto=https" can be interpreted by Rack as...

Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing

Summary Rack::Utils.forwardedvalues parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header such as: http Forwarded: for="127.0.0.1;host=evil.com;proto=https" can be interpreted by Rack as...

Interpretation Conflict

Overview rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between the so-called middleware into a singl...

CVE-2026-32762

Rack is a modular Ruby web server interface. Vulnerability CVE-2026-32762 affects Rack::Utils.forwarded_values in versions 3.0.0.beta1–3.1.20 and 3.2.0–3.2.5, where the Forwarded header is parsed by splitting on semicolons before handling quoted values. Because semicolons may appear inside quoted...

CVE-2026-32762 Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwardedvalues parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons...

CVE-2026-32762 Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwardedvalues parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons...

Rack - Forwarded Header semicolon injection enables Host and Scheme spoofing

Summary Rack::Utils.forwardedvalues parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header such as: http Forwarded: for="127.0.0.1;host=evil.com;proto=https" can be interpreted by Rack as...

EUVD-2025-25231

Malicious code in bioql PyPI...

CVE-2025-8364

A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack. Note: This issue only affected Android operating systems. Other operating systems are unaffected. This vulnerability affects Firefox 141...

CVE-2024-5022

The file scheme of URLs would be hidden, resulting in potential spoofing of a website's address in the location bar This vulnerability affects Focus for iOS 126...

PT-2024-4554 · Unknown · Focus For Ios

Name of the Vulnerable Software and Affected Versions: Focus for iOS versions prior to 126 Description: The issue is related to the file scheme of URLs being hidden, potentially allowing spoofing of a website's address in the location bar. This could enable a remote attacker to conduct spoofing...

SUSE CVE-2007-3819

Opera 9.21 allows remote attackers to spoof the data: URI scheme in the address bar via a long URI with trailing whitespace, which prevents the beginning of the URI from being displayed...

Spoofing of URI possible in Konqueror's address bar

konqueror/konqcombo.cc in Konqueror 3.5.7 allows remote attackers to spoof the data: URI scheme in the address bar via a long URI with trailing whitespace, which prevents the beginning of the URI from being displayed...