Vulnerability Description
Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions. The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ruby-Lang | Webrick | < 1.8.2 |
Related Weaknesses (CWE)
References
- https://github.com/ruby/webrick/commit/ee60354bcb84ec33b9245e1d1aa6e1f7e8132101#Patch
- https://www.zerodayinitiative.com/advisories/ZDI-25-414/Third Party Advisory
FAQ
What is CVE-2025-6442?
CVE-2025-6442 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is ex...
How severe is CVE-2025-6442?
CVE-2025-6442 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-6442?
Check the references section above for vendor advisories and patch information. Affected products include: Ruby-Lang Webrick.