Don't fall back to unencrypted coder if encryptors are present.

Author: ioquatix

lib/rack/session/cookie.rb

@@ -237,8 +237,10 @@ def unpacked_cookie_data(request)
               # Decode using legacy HMAC decoder
               session_data = @legacy_hmac_coder.decode(session_data)
 
-            elsif !session_data && coder
-              # Use the coder option, which has the potential to be very unsafe
+            elsif !session_data && encryptors.empty? && coder
+              # Use the coder option, which has the potential to be very unsafe.
+              # This path is only reached when no encryptors (secrets:) are configured;
+              # if encryptors are present but decryption failed, the cookie is rejected.
               session_data = coder.decode(cookie_data)
             end
           end

releases.md

@@ -1,5 +1,9 @@
 # Releases
 
+## Unreleased
+
+  - [CVE-2026-39324](https://github.com/advisories/GHSA-33qg-7wpp-89cq) Don't fall back to unencrypted coder if encryptors are present.
+
 ## v2.1.1
 
   - Prevent `Rack::Session::Pool` from recreating deleted sessions [CVE-2025-46336](https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj).

test/spec_session_cookie.rb

@@ -365,6 +365,31 @@ def decode(str); @calls << :decode; JSON.parse(str); end
     response.body.must_equal ({"counter"=>1}.to_s)
   end
 
+  it 'rejects a forged plain Base64::Marshal cookie when secrets: is configured' do
+    # Construct a forged cookie without knowing the secret: plain Base64-encoded
+    # Marshal payload, identical to what an attacker would send.
+    forged_payload = { 'session_id' => 'attacker-fixed', 'counter' => 999 }
+    forged_cookie = "rack.session=#{Base64.strict_encode64(Marshal.dump(forged_payload))}"
+
+    app = [incrementor, { secrets: @secret }]
+
+    # The forged cookie must be rejected; session starts fresh (counter = 1).
+    response = response_for(app: app, cookie: forged_cookie)
+    response.body.must_equal ({"counter" => 1}.to_s)
+  end
+
+  it 'rejects a forged plain Base64::Marshal cookie when secrets: and serialize_json: true are configured' do
+    # serialize_json: true only affects the encryptor serializer; the coder
+    # fallback must also be suppressed when encryptors are configured.
+    forged_payload = { 'session_id' => 'attacker-fixed', 'counter' => 999 }
+    forged_cookie = "rack.session=#{Base64.strict_encode64(Marshal.dump(forged_payload))}"
+
+    app = [incrementor, { secrets: @secret, serialize_json: true }]
+
+    response = response_for(app: app, cookie: forged_cookie)
+    response.body.must_equal ({"counter" => 1}.to_s)
+  end
+
   it 'rejects session cookie with different purpose' do
     app = [incrementor, { secrets: @secrets }]
     other_app = [incrementor, { secrets: @secrets, key: 'other' }]