Body Background
TrendAI™ Zero Day Initiative™ Logo

Ruby WEBrick read_header HTTP Request Smuggling Vulnerability

June 23rd, 2025
ZDI-25-414 ZDI-CAN-21876

CVE ID

CVE-2025-6442

CVSS Score

6.5 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Affected Vendors

Ruby

Affected Products

WEBrick

Vulnerability Details

This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions.

The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests.

Additional Details

Ruby has issued an update to correct this vulnerability. More details can be found at:
https://github.com/ruby/webrick/commit/ee60354bcb84ec33b9245e1d1aa6e1f7e8132101#diff-ad02984d873efb089aa51551bc6b7d307a53e0ba1ac439e91d69c2e58a478864

Disclosure Timeline

  • 2023-09-13 - Vulnerability reported to vendor
  • 2025-06-23 - Coordinated public release of advisory
  • 2025-06-23 - Advisory Updated

Credit

yadhukrishnam

Back to Advisories

Hero Background

Stand at the front line of proactive security

Trend ZDI connects the experts who discover, remediate, and defend.
Add your voice to the work that pushes attackers back.

RESEARCHERS

Submit a vulnerability

VENDORS

Learn how it works

ORGANIZATIONS

See how you're protected