File tree Expand file tree Collapse file tree 1 file changed +36
-0
lines changed Expand file tree Collapse file tree 1 file changed +36
-0
lines changed Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' CVE-2025-6442 (webrick): Ruby WEBrick read_headers method can lead to HTTP
4+ Request/Response Smuggling'
5+ comments : false
6+ categories :
7+ - webrick
8+ advisory :
9+ gem : webrick
10+ cve : 2025-6442
11+ ghsa : r995-q44h-hr64
12+ url : https://github.com/advisories/GHSA-r995-q44h-hr64
13+ title : Ruby WEBrick read_headers method can lead to HTTP Request/Response Smuggling
14+ date : 2025-06-26
15+ description : |
16+ Ruby WEBrick read_header HTTP Request Smuggling Vulnerability
17+
18+ This vulnerability allows remote attackers to smuggle arbitrary HTTP
19+ requests on affected installations of Ruby WEBrick. This issue is
20+ exploitable when the product is deployed behind an HTTP proxy that
21+ fulfills specific conditions.
22+
23+ The specific flaw exists within the read_headers method. The issue
24+ results from the inconsistent parsing of terminators of HTTP headers.
25+ An attacker can leverage this vulnerability to smuggle arbitrary
26+ HTTP requests. Was ZDI-CAN-21876.
27+ cvss_v3 : 6.5
28+ patched_versions :
29+ - " >= 1.8.2"
30+ related :
31+ url :
32+ - https://nvd.nist.gov/vuln/detail/CVE-2025-6442
33+ - https://github.com/ruby/webrick/commit/ee60354bcb84ec33b9245e1d1aa6e1f7e8132101#diff-ad02984d873efb089aa51551bc6b7d307a53e0ba1ac439e91d69c2e58a478864
34+ - https://www.zerodayinitiative.com/advisories/ZDI-25-414
35+ - https://github.com/advisories/GHSA-r995-q44h-hr64
36+ ---
You can’t perform that action at this time.
0 commit comments