2374895 – (CVE-2025-6442) CVE-2025-6442 webrick: Ruby WEBrick Request Smuggling Vulnerability

Bug 2374895 (CVE-2025-6442) - CVE-2025-6442 webrick: Ruby WEBrick Request Smuggling Vulnerability

Summary: CVE-2025-6442 webrick: Ruby WEBrick Request Smuggling Vulnerability

Keywords:
Status:	NEW
Alias:	CVE-2025-6442
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2375005 2375006 2375007 2375008
Blocks:
TreeView+	depends on / blocked

Reported:	2025-06-26 07:03 UTC by OSIDB Bzimport
Modified:	2025-06-26 18:22 UTC (History)
CC List:	30 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-06-26 07:03:07 UTC

Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions.

The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876.

Note You need to log in before you can comment on or make changes to this bug.

akostadi
amasferr
anthomas
cbartlet
dmayorov
ehelms
ggainey
jcantril
jlledo
juwatts
jvasik
jwendell
kaycoth
lchilton
mhulan
mkudlej
mmakovy
nmoumoul
osousa
pcreech
periklis
rblanco
rcernich
rchan
rojacob
sfeifer
smallamp
tjochec
vmugicag
zdohnal