CVE-2025-6442

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-6442

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-6442.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-6442

Aliases

GHSA-r995-q44h-hr64

Related

UBUNTU-CVE-2025-6442

Published

2025-06-25T17:15:40Z

Modified

2025-07-01T16:33:43.316254Z

Summary

[none]

Details

Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions.

The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876.

References

Affected packages

Debian:12 / ruby-webrick

Package

Name: ruby-webrick
Purl: pkg:deb/debian/ruby-webrick?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.8.1-1

1.9.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / ruby-webrick

Package

Name: ruby-webrick
Purl: pkg:deb/debian/ruby-webrick?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.1-1

Affected versions

1.*

1.8.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/ruby/webrick

Affected ranges

Type: GIT
Repo: https://github.com/ruby/webrick
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ee60354bcb84ec33b9245e1d1aa6e1f7e8132101

Affected versions

v1.*

v1.4.0

v1.4.0.beta1

v1.4.1

v1.4.2

v1.5.0

v1.6.0

v1.7.0

v1.8.0

v1.8.1