CVE-2024-47220 — HTTP Request Smuggling in Webrick

CWE-444 — HTTP Request Smuggling10 documents7 sources

Severity

7.5HIGH

No vector

EPSS

0.1%

top 70.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ruby-lang Webrick

Timeline

PublishedSep 22

Latest updateOct 27

Description

An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production."

Affected Packages1 packages

▶RubyGemsruby-lang/webrick< 1.8.2

🔴Vulnerability Details

OSV

CVE-2024-47220: An issue was discovered in the WEBrick toolkit through 1↗2024-09-22

▶

GHSA

HTTP Request Smuggling in ruby webrick↗2024-09-22

▶

CVEList

CVE-2024-47220: An issue was discovered in the WEBrick toolkit through 1↗2024-09-22

▶

OSV

HTTP Request Smuggling in ruby webrick↗2024-09-22

▶

📋Vendor Advisories

Ubuntu

Ruby vulnerabilities↗2025-10-27

▶

Ubuntu

WEBrick vulnerability↗2024-10-08

▶

Ubuntu

WEBrick vulnerability↗2024-10-07

▶

Red Hat

WEBrick: HTTP request smuggling↗2024-09-22

▶

Debian

CVE-2024-47220: ruby-webrick - An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows...↗2024

▶