CVE-2025-6442

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-6442
Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions. The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Exploitability : 2.2 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/ruby/webrick/commit/ee60354bcb84ec33b9245e1d1aa6e1f7e8132101#diff-ad02984d873efb089aa51551bc6b7d307a53e0ba1ac439e91d69c2e58a478864
https://www.zerodayinitiative.com/advisories/ZDI-25-414/
Configurations

No configuration.

History

26 Jun 2025, 18:57

Type Values Removed Values Added
Summary
  • (es) Vulnerabilidad de contrabando de solicitudes HTTP en Ruby WEBrick read_header. Esta vulnerabilidad permite a atacantes remotos contrabandear solicitudes HTTP arbitrarias en las instalaciones afectadas de Ruby WEBrick. Este problema se puede explotar cuando el producto se implementa tras un proxy HTTP que cumple condiciones específicas. La falla específica se encuentra en el método read_headers. El problema se debe al análisis inconsistente de los terminadores de las cabeceras HTTP. Un atacante puede aprovechar esta vulnerabilidad para contrabandear solicitudes HTTP arbitrarias. Anteriormente, se denominó ZDI-CAN-21876.

25 Jun 2025, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-25 17:15

Updated : 2025-06-26 18:57

NVD link : CVE-2025-6442

Mitre link : CVE-2025-6442

CVE.ORG link : CVE-2025-6442

JSON object : View

Products Affected

No product.

CWE
CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')