CVE-2025-6442

Medium CVSS: 5.9

Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions.

The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876.

Vendor

Ruby-lang

Product

Webrick

CWE

CWE-444

Yayın Tarihi

2025-06-25 17:15:40

Güncelleme

2025-08-18 15:49:38

Source Identifier

zdi-disclosures@trendmicro.com

KEV Date Added

Kategoriler

CWE-444 Webrick MEDIUM Ruby-lang 2025

Referanslar

https://github.com/ruby/webrick/commit/ee60354bcb84ec33b9245e1d1aa6e1f7e8132101#diff-ad02984d873efb089aa51551bc6b7d307a53e0ba1ac439e91d69c2e58a478864 https://www.zerodayinitiative.com/advisories/ZDI-25-414/

Benzer Kayıtlar

High

CVE-2026-33210

Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a fo…

Low

CVE-2025-61594

URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4…

Low

CVE-2025-58767

REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing…

Medium

CVE-2025-43857

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.5.7, 0.4.…

High

CVE-2025-27788

JSON is a JSON implementation for Ruby. Starting in version 2.10.0 and prior to version 2.10.2, a specially crafted docu…

Medium

CVE-2025-27219

In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Ser…