CVE-2025-6442

Publication date 25 June 2025

Last updated 1 August 2025

Ubuntu priority

Cvss 3 Severity Score

Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions. The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
ruby-webrick	25.04 plucky	Vulnerable
	24.10 oracular	Ignored end of life, was needs-triage
	24.04 LTS noble	Vulnerable
	22.04 LTS jammy	Vulnerable

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
ruby-webrick	Upstream: ee60354

Severity score breakdown

Parameter	Value
Base score	6.5 · Medium
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	Low
Integrity impact	High
Availability impact	None
Vector	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

References

Related Ubuntu Security Notices (USN)

USN-7709-1
WEBrick vulnerability
21 August 2025