CVE-2025-6442 Overview
CVE-2025-6442 is an HTTP Request Smuggling vulnerability affecting Ruby WEBrick, a popular HTTP server library for Ruby applications. The vulnerability exists in the read_headers method due to inconsistent parsing of HTTP header terminators. When WEBrick is deployed behind an HTTP proxy that fulfills specific conditions, remote attackers can exploit this flaw to smuggle arbitrary HTTP requests.
This vulnerability was originally tracked as ZDI-CAN-21876 by the Zero Day Initiative before receiving its CVE designation.
Critical Impact
Remote attackers can bypass security controls and smuggle malicious HTTP requests through proxy servers, potentially leading to cache poisoning, request hijacking, or unauthorized access to protected resources.
Affected Products
- Ruby-lang WEBrick (all versions prior to patch)
- Ruby applications using WEBrick as the HTTP server behind a proxy
- Deployments where WEBrick handles requests forwarded by front-end HTTP proxies
Discovery Timeline
- June 25, 2025 - CVE-2025-6442 published to NVD
- August 18, 2025 - Last updated in NVD database
Technical Details for CVE-2025-6442
Vulnerability Analysis
The vulnerability resides in WEBrick's HTTP request parsing logic, specifically within the read_headers method in lib/webrick/httprequest.rb and the header parsing code in lib/webrick/httputils.rb. The core issue stems from how WEBrick handles line terminators in HTTP headers.
HTTP/1.1 specification (RFC 7230) mandates that HTTP messages use CRLF (\r\n) as line terminators. However, the vulnerable WEBrick implementation was overly permissive, accepting both CRLF and LF-only (\n) line endings through the use of the \r? optional pattern in its regular expressions.
This parsing inconsistency creates an HTTP Request Smuggling attack surface when WEBrick operates behind a front-end proxy server. If the proxy strictly adheres to RFC specifications and expects CRLF terminators while WEBrick accepts either format, an attacker can craft requests that are interpreted differently by each component, effectively smuggling additional requests through the proxy.
Root Cause
The root cause is the inconsistent parsing of HTTP header terminators in WEBrick's request processing code. The original regular expressions used patterns like \r?\n which made the carriage return (\r) optional, allowing bare line feeds (\n) to be accepted as valid terminators. This deviation from strict RFC compliance creates a parsing differential between WEBrick and compliant HTTP proxies.
Additionally, the header field parsing did not properly restrict characters that could appear in header values, specifically lacking explicit exclusion of \r, \n, and null (\0) characters within header content.
Attack Vector
HTTP Request Smuggling attacks exploit differences in how front-end and back-end servers parse HTTP requests. In this case, an attacker can send a specially crafted request where:
- The front-end proxy sees one request boundary based on strict CRLF parsing
- WEBrick interprets the same data stream differently due to its permissive LF-only acceptance
- This desynchronization allows additional "smuggled" requests to be injected
The attack requires the target WEBrick instance to be deployed behind an HTTP proxy, which is a common configuration in production environments.
# Vulnerable code in lib/webrick/httprequest.rb (before patch)
# The \r? makes carriage return optional, accepting both CRLF and LF
if /^(\S+)\s+(\S++)(?:\s+HTTP\/(\d+\.\d+))?\r?\n/mo =~ @request_line
# Patched code - now strictly requires CRLF
if /^(\S+) (\S++)(?: HTTP\/(\d+\.\d+))?\r\n/mo =~ @request_line
Source: GitHub Commit Details
# Vulnerable header parsing in lib/webrick/httputils.rb (before patch)
when /^([A-Za-z0-9!\#$%&'*+\-.^_`|~]+):(.*?)\z/om
field, value = $1, $2.strip
# Patched code - requires CRLF and explicitly excludes dangerous characters
when /^([A-Za-z0-9!\#$%&'*+\-.^_`|~]+):([^\r\n\0]*?)\r\n\z/om
field, value = $1, $2
Source: GitHub Commit Details
Detection Methods for CVE-2025-6442
Indicators of Compromise
- Unusual HTTP requests in proxy logs containing malformed or bare LF line terminators
- Discrepancies between proxy access logs and WEBrick application logs showing different request counts
- Evidence of cache poisoning attacks or unexpected responses served to legitimate users
- HTTP requests with embedded characters that should not appear in standard headers
Detection Strategies
- Monitor for HTTP requests containing bare LF characters without preceding CR in headers
- Implement log correlation between front-end proxies and WEBrick backends to detect request count mismatches
- Deploy web application firewalls (WAF) with HTTP smuggling detection capabilities
- Analyze network traffic for malformed HTTP messages targeting WEBrick endpoints
Monitoring Recommendations
- Enable verbose logging on both proxy and WEBrick servers to capture full HTTP request details
- Configure alerts for HTTP 400 (Bad Request) responses that may indicate smuggling attempts
- Monitor for unusual patterns in request timing and response associations
- Review application logs for signs of unauthorized actions that could result from smuggled requests
How to Mitigate CVE-2025-6442
Immediate Actions Required
- Update WEBrick to the patched version containing commit ee60354bcb84ec33b9245e1d1aa6e1f7e8132101
- Review proxy configurations to ensure strict HTTP/1.1 compliance
- Audit deployments to identify all instances where WEBrick is used behind proxy servers
- Consider temporarily placing additional request validation at the proxy layer
Patch Information
The vulnerability has been addressed in a security patch available from the Ruby WEBrick repository. The fix modifies the regular expressions in lib/webrick/httprequest.rb and lib/webrick/httputils.rb to strictly require CRLF (\r\n) line terminators as mandated by HTTP specifications.
The patch also adds explicit character restrictions in header value parsing, blocking carriage return (\r), line feed (\n), and null (\0) characters from appearing within header content.
For detailed patch information, see the GitHub commit and the Zero Day Initiative advisory.
Workarounds
- Deploy WEBrick directly without front-end proxies if the deployment architecture permits
- Configure the proxy to normalize all HTTP requests by converting bare LF to CRLF before forwarding
- Implement strict HTTP request validation at the proxy layer to reject non-compliant requests
- Consider using alternative Ruby HTTP servers (such as Puma or Unicorn) that may have stricter parsing
# Example: Update WEBrick gem to the latest patched version
gem update webrick
# Verify the installed version
gem list webrick
# For Bundler-managed applications, update Gemfile.lock
bundle update webrick
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
