CVE-2023-28362 Overview
CVE-2023-28362 is an Improper Input Validation vulnerability affecting the redirect_to method in Ruby on Rails. The vulnerability allows user-supplied values containing illegal characters (not permitted in HTTP header values per RFC specifications) to be accepted and used in redirect operations. When downstream services enforce strict RFC compliance on HTTP response headers, the assigned Location header may be stripped, potentially leading to unexpected behavior or security issues such as possible Cross-Site Scripting (XSS).
Critical Impact
User-supplied values containing illegal HTTP header characters can bypass input validation in the redirect_to method, potentially enabling XSS attacks or causing redirect failures when RFC-compliant proxies strip malformed headers.
Affected Products
- Ruby on Rails (ActionPack component)
- Applications using the redirect_to controller method
- Systems with RFC-compliant downstream proxies or load balancers
Discovery Timeline
- 2025-01-09 - CVE CVE-2023-28362 published to NVD
- 2025-05-02 - Last updated in NVD database
Technical Details for CVE-2023-28362
Vulnerability Analysis
This vulnerability stems from improper encoding of output (CWE-116) in the Rails ActionPack component. The redirect_to method, which is commonly used to redirect users to different URLs within Rails applications, failed to properly validate and sanitize input values before using them in HTTP Location headers.
HTTP headers have strict requirements defined by RFC specifications regarding which characters are permitted. Control characters in the range \\x00-\\x08 and \\x0A-\\x1F are not legal in HTTP header values. When an attacker supplies input containing these illegal characters, the behavior depends on how downstream services handle the malformed headers. RFC-compliant proxies, load balancers, or WAFs may strip the Location header entirely, while less strict services may pass the malformed header through, potentially enabling XSS attacks.
The vulnerability requires local access and no privileges or user interaction to exploit, though it only impacts integrity without affecting confidentiality or availability.
Root Cause
The root cause lies in the redirect_to method within actionpack/lib/action_controller/metal/redirecting.rb lacking validation for illegal HTTP header characters. Before the patch, user-supplied values were passed directly to the Location header without checking for control characters that violate RFC specifications for HTTP headers.
Attack Vector
An attacker can exploit this vulnerability by providing specially crafted input containing control characters (bytes in the \\x00-\\x08 or \\x0A-\\x1F ranges) to any application endpoint that uses the redirect_to method with user-controllable values. This could be achieved through URL parameters, form inputs, or any other user-supplied data that gets passed to redirect_to.
When processed by RFC-compliant downstream services, the malformed Location header may be removed, causing the redirect to fail or behave unexpectedly. In certain configurations, this could also enable XSS attacks if the malformed header content is reflected in error pages.
# Security patch adding illegal header value detection
# Source: https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441
include AbstractController::Logger
include ActionController::UrlFor
+ ILLEGAL_HEADER_VALUE_REGEX = /[\\x00-\\x08\\x0A-\\x1F]/.freeze
+
+ class UnsafeRedirectError < StandardError; end
+
# Redirects the browser to the target specified in +options+. This parameter can be any one of:
#
# * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
The patch introduces ILLEGAL_HEADER_VALUE_REGEX to detect control characters and raises an UnsafeRedirectError when illegal values are detected, preventing the malformed header from being sent.
Detection Methods for CVE-2023-28362
Indicators of Compromise
- HTTP requests containing control characters (\\x00-\\x08, \\x0A-\\x1F) in parameters used for redirects
- Application logs showing unexpected redirect failures or stripped Location headers
- Error responses where redirects should have occurred, particularly from RFC-compliant proxies
- XSS-related alerts triggered by redirect functionality
Detection Strategies
- Monitor web application logs for requests containing non-printable ASCII characters in redirect-related parameters
- Deploy WAF rules to detect and block requests with control characters in URL parameters and form data
- Review proxy and load balancer logs for stripped or modified Location headers
- Implement application-level logging for redirect_to calls with suspicious input patterns
Monitoring Recommendations
- Enable verbose logging on Rails applications to capture redirect operations and their input values
- Configure security monitoring tools to alert on HTTP header manipulation attempts
- Audit application code for redirect_to calls that accept user-controllable input
- Monitor for UnsafeRedirectError exceptions after applying the security patch
How to Mitigate CVE-2023-28362
Immediate Actions Required
- Upgrade Ruby on Rails to the latest patched version that includes the security fix
- Review application code for all uses of redirect_to with user-supplied input
- Implement input validation at the application layer to reject control characters before they reach redirect_to
- Deploy WAF rules to block requests containing illegal HTTP header characters
Patch Information
The vulnerability has been addressed in Rails security patches. The fix adds the ILLEGAL_HEADER_VALUE_REGEX constant to detect control characters and introduces an UnsafeRedirectError exception that is raised when illegal values are detected. Updates are available through the official Rails repository. For detailed patch information, see the Ruby on Rails Discussion and the GitHub Security Advisory.
Workarounds
- Implement custom input sanitization to strip or reject control characters before passing values to redirect_to
- Use allowlist validation for redirect targets, only permitting known safe URLs
- Deploy a reverse proxy or WAF configured to reject requests with illegal header characters
- Consider using url_for with strict parameter validation instead of directly passing user input to redirect_to
# Input sanitization workaround for redirect_to
# Strip illegal HTTP header characters before redirecting
def safe_redirect_to(url)
sanitized_url = url.to_s.gsub(/[\\x00-\\x08\\x0A-\\x1F]/, '')
redirect_to sanitized_url
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
