Platform
ruby
Component
passenger
Fixed in
4.0.60
CVE-2015-7519 describes a header spoofing vulnerability discovered in Phusion Passenger. This flaw allows attackers to manipulate HTTP headers sent to applications, potentially leading to unexpected behavior or misconfigurations. The vulnerability impacts versions of Passenger less than or equal to 4.0.8 and versions 5.0.x prior to 5.0.22. A fix is available in version 4.0.60.
An attacker can exploit this vulnerability by crafting malicious HTTP requests that substitute underscores (_) for dashes (-) in HTTP header names. Passenger, when operating in Apache integration mode or standalone mode without a filtering proxy, does not properly validate these headers. This allows an attacker to inject arbitrary headers, potentially influencing application logic or bypassing security controls. While the CVSS score is LOW, successful exploitation could lead to application-specific vulnerabilities, such as manipulating authentication or authorization mechanisms, or injecting malicious content. The blast radius is limited to the affected application and its environment.
CVE-2015-7519 was published on October 10, 2018. There is no indication of active exploitation campaigns targeting this vulnerability. It is not listed on KEV or EPSS. The LOW CVSS score suggests a low probability of exploitation in the wild, but the potential for application-specific impact warrants remediation.
Exploit Status
EPSS
0.36% (58% percentile)
CVSS Vector
The primary mitigation for CVE-2015-7519 is to upgrade to Phusion Passenger version 4.0.60 or later. If upgrading is not immediately feasible, consider deploying a filtering proxy (e.g., Nginx, Apache with mod_security) that validates and sanitizes incoming HTTP headers, rejecting those with invalid characters. Additionally, review application code to ensure it does not rely on specific header names and is resilient to unexpected header values. After upgrading, confirm the fix by sending a crafted HTTP request with an underscore in a header name and verifying that Passenger rejects it.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2015-7519 is a vulnerability in Phusion Passenger allowing attackers to spoof HTTP headers by using underscores instead of dashes, potentially impacting application behavior. It affects versions ≤4.0.8 and 5.0.x before 5.0.22.
You are affected if you are using Phusion Passenger versions less than or equal to 4.0.8 or versions 5.0.x prior to 5.0.22, and are running in Apache integration mode or standalone mode without a filtering proxy.
Upgrade to Phusion Passenger version 4.0.60 or later. As a temporary workaround, deploy a filtering proxy to validate incoming HTTP headers.
There is no public evidence of active exploitation campaigns targeting CVE-2015-7519 at this time.
Refer to the Phusion Passenger security advisory: https://www.phusionpassenger.com/security/CVE-2015-7519
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.