Ruby WEBrick HTTP RQ Smuggling via read_headers CVE-2025-6442
CVE-2025-6442 Published on June 25, 2025
Ruby WEBrick read_header HTTP Request Smuggling Vulnerability
Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions.
The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876.
Weakness Type
What is a HTTP Request Smuggling Vulnerability?
When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.
CVE-2025-6442 has been classified to as a HTTP Request Smuggling vulnerability or weakness.
Products Associated with CVE-2025-6442
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-6442 are published in these products:
Affected Versions
Ruby WEBrick Version 1.8.1 is affected by CVE-2025-6442Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.