Skip to main content
CVE Vulnerability Database

CVE-2025-6442: Ruby-lang Webrick RCE Vulnerability

CVE-2025-6442 is an RCE vulnerability in Ruby-lang Webrick that enables HTTP request smuggling through inconsistent parsing of HTTP header terminators. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-6442 Overview

CVE-2025-6442 is an HTTP Request Smuggling vulnerability affecting Ruby WEBrick, a popular HTTP server library for Ruby applications. The vulnerability exists in the read_headers method due to inconsistent parsing of HTTP header terminators. When WEBrick is deployed behind an HTTP proxy that fulfills specific conditions, remote attackers can exploit this flaw to smuggle arbitrary HTTP requests.

This vulnerability was originally tracked as ZDI-CAN-21876 by the Zero Day Initiative before receiving its CVE designation.

Critical Impact

Remote attackers can bypass security controls and smuggle malicious HTTP requests through proxy servers, potentially leading to cache poisoning, request hijacking, or unauthorized access to protected resources.

Affected Products

  • Ruby-lang WEBrick (all versions prior to patch)
  • Ruby applications using WEBrick as the HTTP server behind a proxy
  • Deployments where WEBrick handles requests forwarded by front-end HTTP proxies

Discovery Timeline

  • June 25, 2025 - CVE-2025-6442 published to NVD
  • August 18, 2025 - Last updated in NVD database

Technical Details for CVE-2025-6442

Vulnerability Analysis

The vulnerability resides in WEBrick's HTTP request parsing logic, specifically within the read_headers method in lib/webrick/httprequest.rb and the header parsing code in lib/webrick/httputils.rb. The core issue stems from how WEBrick handles line terminators in HTTP headers.

HTTP/1.1 specification (RFC 7230) mandates that HTTP messages use CRLF (\r\n) as line terminators. However, the vulnerable WEBrick implementation was overly permissive, accepting both CRLF and LF-only (\n) line endings through the use of the \r? optional pattern in its regular expressions.

This parsing inconsistency creates an HTTP Request Smuggling attack surface when WEBrick operates behind a front-end proxy server. If the proxy strictly adheres to RFC specifications and expects CRLF terminators while WEBrick accepts either format, an attacker can craft requests that are interpreted differently by each component, effectively smuggling additional requests through the proxy.

Root Cause

The root cause is the inconsistent parsing of HTTP header terminators in WEBrick's request processing code. The original regular expressions used patterns like \r?\n which made the carriage return (\r) optional, allowing bare line feeds (\n) to be accepted as valid terminators. This deviation from strict RFC compliance creates a parsing differential between WEBrick and compliant HTTP proxies.

Additionally, the header field parsing did not properly restrict characters that could appear in header values, specifically lacking explicit exclusion of \r, \n, and null (\0) characters within header content.

Attack Vector

HTTP Request Smuggling attacks exploit differences in how front-end and back-end servers parse HTTP requests. In this case, an attacker can send a specially crafted request where:

  1. The front-end proxy sees one request boundary based on strict CRLF parsing
  2. WEBrick interprets the same data stream differently due to its permissive LF-only acceptance
  3. This desynchronization allows additional "smuggled" requests to be injected

The attack requires the target WEBrick instance to be deployed behind an HTTP proxy, which is a common configuration in production environments.

ruby
# Vulnerable code in lib/webrick/httprequest.rb (before patch)
# The \r? makes carriage return optional, accepting both CRLF and LF
if /^(\S+)\s+(\S++)(?:\s+HTTP\/(\d+\.\d+))?\r?\n/mo =~ @request_line

# Patched code - now strictly requires CRLF
if /^(\S+) (\S++)(?: HTTP\/(\d+\.\d+))?\r\n/mo =~ @request_line

Source: GitHub Commit Details

ruby
# Vulnerable header parsing in lib/webrick/httputils.rb (before patch)
when /^([A-Za-z0-9!\#$%&'*+\-.^_`|~]+):(.*?)\z/om
  field, value = $1, $2.strip

# Patched code - requires CRLF and explicitly excludes dangerous characters
when /^([A-Za-z0-9!\#$%&'*+\-.^_`|~]+):([^\r\n\0]*?)\r\n\z/om
  field, value = $1, $2

Source: GitHub Commit Details

Detection Methods for CVE-2025-6442

Indicators of Compromise

  • Unusual HTTP requests in proxy logs containing malformed or bare LF line terminators
  • Discrepancies between proxy access logs and WEBrick application logs showing different request counts
  • Evidence of cache poisoning attacks or unexpected responses served to legitimate users
  • HTTP requests with embedded characters that should not appear in standard headers

Detection Strategies

  • Monitor for HTTP requests containing bare LF characters without preceding CR in headers
  • Implement log correlation between front-end proxies and WEBrick backends to detect request count mismatches
  • Deploy web application firewalls (WAF) with HTTP smuggling detection capabilities
  • Analyze network traffic for malformed HTTP messages targeting WEBrick endpoints

Monitoring Recommendations

  • Enable verbose logging on both proxy and WEBrick servers to capture full HTTP request details
  • Configure alerts for HTTP 400 (Bad Request) responses that may indicate smuggling attempts
  • Monitor for unusual patterns in request timing and response associations
  • Review application logs for signs of unauthorized actions that could result from smuggled requests

How to Mitigate CVE-2025-6442

Immediate Actions Required

  • Update WEBrick to the patched version containing commit ee60354bcb84ec33b9245e1d1aa6e1f7e8132101
  • Review proxy configurations to ensure strict HTTP/1.1 compliance
  • Audit deployments to identify all instances where WEBrick is used behind proxy servers
  • Consider temporarily placing additional request validation at the proxy layer

Patch Information

The vulnerability has been addressed in a security patch available from the Ruby WEBrick repository. The fix modifies the regular expressions in lib/webrick/httprequest.rb and lib/webrick/httputils.rb to strictly require CRLF (\r\n) line terminators as mandated by HTTP specifications.

The patch also adds explicit character restrictions in header value parsing, blocking carriage return (\r), line feed (\n), and null (\0) characters from appearing within header content.

For detailed patch information, see the GitHub commit and the Zero Day Initiative advisory.

Workarounds

  • Deploy WEBrick directly without front-end proxies if the deployment architecture permits
  • Configure the proxy to normalize all HTTP requests by converting bare LF to CRLF before forwarding
  • Implement strict HTTP request validation at the proxy layer to reject non-compliant requests
  • Consider using alternative Ruby HTTP servers (such as Puma or Unicorn) that may have stricter parsing
bash
# Example: Update WEBrick gem to the latest patched version
gem update webrick

# Verify the installed version
gem list webrick

# For Bundler-managed applications, update Gemfile.lock
bundle update webrick

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.