Login Sign Up

CVE-2021-29479

7.0 HIGH

📋 TL;DR

This vulnerability allows attackers to poison web caches by manipulating the X-Forwarded-Host header in Ratpack applications. It enables redirect cache poisoning where users can be redirected to malicious sites instead of legitimate destinations. Only Ratpack servers using the default PublicAddress configuration without custom cache key settings are affected.

💻 Affected Systems

Products:
  • Ratpack
Versions: All versions prior to 1.9.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when using default PublicAddress configuration without custom cache keys including X-Forwarded-Host header.

📦 What is this software?

Ratpack by Ratpack Project

View all CVEs affecting Ratpack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could redirect all users of a vulnerable application to phishing sites, steal credentials, or distribute malware through poisoned redirects.

🟠

Likely Case

Targeted cache poisoning leading to user redirection to attacker-controlled sites for phishing or credential harvesting.

🟢

If Mitigated

No impact if proper PublicAddress configuration or patched version is used.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires ability to send HTTP requests with X-Forwarded-Host header to vulnerable server behind a cache.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.0

Vendor Advisory: https://github.com/ratpack/ratpack/security/advisories/GHSA-w6rq-6h34-vh7q

Restart Required: Yes

Instructions:

1. Update Ratpack dependency to version 1.9.0 or later. 2. Update build.gradle or pom.xml to use ratpack:1.9.0+. 3. Rebuild and redeploy application. 4. Restart server.

🔧 Temporary Workarounds

Configure PublicAddress

all

Manually configure ServerConfigBuilder::publicAddress with correct server address instead of using default inference.

ratpack { serverConfig { publicAddress(URI.create("https://your-domain.com")) } }

🧯 If You Can't Patch

  • Configure web cache to include X-Forwarded-Host header in cache keys
  • Implement WAF rules to validate or strip X-Forwarded-Host headers

🔍 How to Verify

Check if Vulnerable:

Check if Ratpack version <1.9.0 and using default PublicAddress configuration without custom cache keys.

Check Version:

Check build.gradle for 'ratpack' version or examine deployed application dependencies.

Verify Fix Applied:

Verify Ratpack version is 1.9.0+ and PublicAddress is properly configured or custom cache keys include X-Forwarded-Host.

📡 Detection & Monitoring

Log Indicators:

  • Unusual X-Forwarded-Host header values in access logs
  • Multiple redirects to unexpected domains

Network Indicators:

  • HTTP requests with manipulated X-Forwarded-Host headers
  • Unexpected redirect responses from cache

SIEM Query:

http.headers:X-Forwarded-Host AND http.status:301 OR http.status:302

📊 Metadata

CVE ID: CVE-2021-29479
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
CWE: CWE-807
Published: June 29, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29479, you might also want to check these:

CVE-2025-49827 9.8

This vulnerability allows attackers to bypass IAM authentication in Conjur by manipulating AWS-signe...

Same vulnerability type (CWE-807)
CVE-2025-12487 9.8

This vulnerability allows remote attackers to execute arbitrary code on oobabooga text-generation-we...

Same vulnerability type (CWE-807)
CVE-2025-12488 9.8

This vulnerability allows remote attackers to execute arbitrary code on oobabooga text-generation-we...

Same vulnerability type (CWE-807)