CVE-2025-6442HTTP Request Smuggling in Webrick

CWE-444HTTP Request Smuggling12 documents8 sources
Severity
5.9MEDIUMNVD
EPSS
0.1%
top 77.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Ruby-lang WebrickRuby Webrick
Timeline
PublishedJun 25
Latest updateNov 3

Description

Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions. The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HT

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

NVDruby-lang/webrick< 1.8.2
RubyGemsruby-lang/webrick< 1.8.2
CVEListV5ruby/webrick1.8.1

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
Ruby WEBrick read_headers method can lead to HTTP Request/Response Smuggling2025-06-26
GHSA
Ruby WEBrick read_headers method can lead to HTTP Request/Response Smuggling2025-06-26
CVEList
Ruby WEBrick read_header HTTP Request Smuggling Vulnerability2025-06-25
OSV
CVE-2025-6442: Ruby WEBrick read_header HTTP Request Smuggling Vulnerability2025-06-25

📋Vendor Advisories

7
Apple
CVE-2025-6442: macOS Tahoe 26.12025-11-03
Apple
CVE-2025-6442: macOS Sequoia 15.7.22025-11-03
Apple
CVE-2025-6442: macOS Sonoma 14.8.22025-11-03
Ubuntu
Ruby vulnerabilities2025-10-27
Ubuntu
WEBrick vulnerability2025-08-21
CVE-2025-6442 — HTTP Request Smuggling in Webrick | cvebase