EUVD-2025-19113

| CVE-2025-6442 MEDIUM
2025-06-25 [email protected] GHSA-r995-q44h-hr64
5.9
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 15, 2026 - 23:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 23:19 euvd
EUVD-2025-19113
Patch Released
Mar 15, 2026 - 23:19 nvd
Patch available
CVE Published
Jun 25, 2025 - 17:15 nvd
MEDIUM 5.9

Tags

Information Disclosure Ubuntu Debian Webrick Redhat Suse

Description

Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions. The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876.

Analysis

Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions.

The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876.

Technical Context

This vulnerability is classified as HTTP Request/Response Smuggling (CWE-444).

Affected Products

Affected products: Ruby-Lang Webrick

Remediation

A vendor patch is available. Apply it as soon as possible and verify the fix.

Priority Score

30
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +30
POC: 0

Vendor Status

Ubuntu

Priority: Medium
ruby-webrick
Release Status Version
oracular ignored end of life, was needs-triage
upstream released 1.9.1-1
jammy released 1.7.0-3ubuntu0.2
noble released 1.8.1-1ubuntu0.2
plucky released 1.8.1-1ubuntu1.1
questing released 1.9.1-1
jruby
Release Status Version
trusty needed -
xenial needed -
bionic needed -
focal needed -
jammy DNE -
noble not-affected vulnerable code not present
plucky not-affected vulnerable code not present
questing not-affected vulnerable code not present
upstream needs-triage -
ruby2.3
Release Status Version
jammy DNE -
noble DNE -
plucky DNE -
questing DNE -
upstream needs-triage -
xenial released 2.3.1-2~ubuntu16.04.16+esm11
ruby2.5
Release Status Version
jammy DNE -
noble DNE -
plucky DNE -
questing DNE -
upstream needs-triage -
bionic released 2.5.1-1ubuntu1.16+esm6
ruby2.7
Release Status Version
jammy DNE -
noble DNE -
plucky DNE -
questing DNE -
upstream needs-triage -
focal released 2.7.0-5ubuntu1.18+esm3
USN-7709-1 USN-7840-1

Debian

ruby-webrick
Release Status Fixed Version Urgency
bookworm vulnerable 1.8.1-1 -
trixie fixed 1.9.1-1 -
forky, sid fixed 1.9.2-1 -
(unstable) fixed 1.9.1-1 -

Share

EUVD-2025-19113 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy