Specially crafted "X-Forwarded-Host" headers in combination with certain
"allowed host" formats can cause the Host Authorization middleware in Action
Pack to redirect users to a malicious website.
Impacted applications will have allowed hosts with a leading dot. For
configuration files that look like this:
config.hosts << '.EXAMPLE.com'
When an allowed host contains a leading dot, a specially crafted Host header
can be used to redirect to a malicious website.
This vulnerability is similar to CVE-2021-22881 and CVE-2021-22942."
Please bump to actionpack-126.96.36.199.
This requires rails 188.8.131.52 and 184.108.40.206. The x.4.2 releases were broken. Rails 5.2 is not affected.
Rails 220.127.116.11 and 18.104.22.168 are now available. I'll file a stable bug for actionpack and related dependencies in a few days.