CVE-2025-6442

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-6442
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-6442.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-6442
Aliases
Downstream
Related
Published
2025-06-25T17:15:40Z
Modified
2025-10-18T06:54:37.619885Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions.

The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876.

References

Affected packages

Git / github.com/ruby/webrick

Affected ranges

Type
GIT
Repo
https://github.com/ruby/webrick
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ee60354bcb84ec33b9245e1d1aa6e1f7e8132101

Affected versions

v1.*

v1.4.0
v1.4.0.beta1
v1.4.1
v1.4.2
v1.5.0
v1.6.0
v1.7.0
v1.8.0
v1.8.1