Primary

Context

Ruby WEBrick HTTP Request Smuggling Vulnerability

Vulnerability

Patched

A request smuggling vulnerability has been identified in Ruby WEBrick, allowing remote attackers to send arbitrary HTTP requests. This issue arises from inconsistent parsing of HTTP header terminators in the 'read_headers' method, creating a flaw that can be exploited when WEBrick is behind a specific type of HTTP proxy.

Impact

Exploitation of this vulnerability allows for HTTP request smuggling, where an attacker can send malicious HTTP requests that are improperly handled by the server or an intermediary proxy.

Reproduction

The vulnerability can be reproduced by deploying Ruby WEBrick behind an HTTP proxy that does not correctly handle header terminators. Once this setup is in place, an attacker can craft requests that exploit the parsing flaw in WEBrick's 'read_headers' method, smuggling them through the proxy to the server.

Remediation

Ruby has released a patch for this vulnerability. Users should update to the latest version of WEBrick.

Added: Jun 25, 2025, 6:32 PM

Updated: Jun 25, 2025, 6:32 PM

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

0.6

exploitability

7.0

remediation

7.7

relevance

0.2

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

0.6

exploitability

7.0

remediation

7.7

relevance

0.2

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Ruby WEBrick HTTP Request Smuggling Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Ruby WEBrick

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating