Rack::Protection v1.5.5 is out

By Kunpei Sakai on Thursday, March 8, 2018

I have just released Rack Protection v1.5.5 for backporting security fix.


The v1.5.5 contains a security fix for CVE-2018-1000119.

It was determined a timing attack vulnerability in the CSRF token checking that can result in signatures being exposed.

The original fix has already been merged at rack-protection v2.0.0.rc3. Therefore, there is no problem if you are using rack-protection v2.0.0.rc3 or later.

At first of all, we strongly recommend that you check the version of rack-protection you are currently using on your application. You can confirm that by looking at the version of rack-protection embedded in Gemfile.lock.

As a result, if you still are using rack-protection v1.5.4 or earlier, we would highly recommend to upgrade the gem.

Thank you

Finally, I am deeply grateful to Andreas Karlsson and Kurt Seifried who worked on this issue. Thank you.