Phusion Passenger Server allows to overwrite headers in some cases


2017-06-16 19:16
CVE-2015-7519 passenger
CVE-2015-7519 ruby-passenger
2017-04-01 19:10
2017-01-05 20:15


It is possible in some cases, for clients to overwrite headers set by the server, resulting in a medium level security issue. Passenger 5 uses an SCGI-inspired format to pass headers to Ruby/Python applications, while Passenger 4 uses an SCGI-inspired format to pass headers to all applications. This implies a conversion to UPPER_CASE_WITH_UNDERSCORES whereby the difference between characters like '-' and '_' is lost.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Package Patched in Unaffected in
passenger ~> 4.0.60,>= 5.0.22 None