AZL-64364

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-64364.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-64364

Upstream

CVE-2025-6442

Published

2025-06-25T17:15:40Z

Modified

2026-04-01T05:20:18.134794Z

Summary

CVE-2025-6442 affecting package ruby for versions less than 3.1.7-2

Details

Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions.

The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-6442

Affected packages

Azure Linux:2 / ruby

Package

Name: ruby
Purl: pkg:rpm/azure-linux/ruby

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.7-2

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-64364.json"