CVE-2025-6442: Ruby WEBrick read_headers method can lead to HTTP Request/Response Smuggling

June 26, 2025 (updated June 30, 2025)

Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions.

The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876.

References

github.com/advisories/GHSA-r995-q44h-hr64
github.com/ruby/webrick
github.com/ruby/webrick/commit/ee60354bcb84ec33b9245e1d1aa6e1f7e8132101
github.com/rubysec/ruby-advisory-db/blob/master/gems/webrick/CVE-2025-6442.yml
nvd.nist.gov/vuln/detail/CVE-2025-6442
www.zerodayinitiative.com/advisories/ZDI-25-414

Code Behaviors & Features

Detect and mitigate CVE-2025-6442 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →