Product
Rack::Session::Cookie incorrectly handles decryption failures, falling back to a default decoder and allowing attackers to forge session cookies without knowing the secret, potentially leading to authentication bypass or privilege escalation in vulnerable Rack applications.