AIKIDO-2026-737023
rack-proxy is vulnerable to Insecure Default Variable Initialization
73
High Risk
This Affects:
rack-proxyTL;DR
Before the fix, rack-proxy disabled TLS certificate verification by default for HTTPS backends by using OpenSSL::SSL::VERIFY_NONE, which made backend connections vulnerable to man-in-the-middle attacks. Although the :ssl_verify_none option existed, it was effectively ignored, so insecure behavior happened silently unless :verify_mode was explicitly set. The fix changes the default to OpenSSL::SSL::VERIFY_PEER, properly honors :ssl_verify_none as an explicit opt-out, and gives :verify_mode precedence for clear control. An attacker able to intercept traffic between rack-proxy and its HTTPS backend could exploit this by presenting a forged certificate, impersonating the backend server, and reading or modifying proxied requests and responses.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
rack-proxy is vulnerable to Insecure Default Variable Initialization in versions 0.0.1 - 0.7.8.
How to fix this
Upgrade the rack-proxy library to the patch version or explicitly set :verify_mode to a safe value.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant