Miggo Logo
Miggo Vulnerability Database
CVE-2025-6442

CVE-2025-6442:
Ruby WEBrick read_headers method can lead to HTTP Request/Response Smuggling

6.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2025-6442
GHSA ID
GHSA-r995-q44h-hr64
EPSS Score
0.20927%
CWE
CWE-444
Published
6/26/2025
Updated
6/27/2025
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
webrickrubygems< 1.8.21.8.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists due to inconsistent parsing of HTTP request line and header terminators in the WEBrick library. The core of the issue lies in the fact that WEBrick was more lenient than many proxy servers, accepting a lone Line Feed (LF) as a terminator in addition to the standard Carriage Return Line Feed (CRLF). An attacker could exploit this by crafting a request where the proxy server sees one request (ending in CRLF) while WEBrick, processing the same byte stream, sees two separate requests because it treats a subsequent LF as a delimiter.

The patch addresses this by enforcing stricter adherence to RFC standards. The key changes are in WEBrick::HTTPRequest#read_header and WEBrick::HTTPRequest#read_request_line, where the regular expressions are modified to exclusively accept CRLF (\r\n) as the line terminator. Additionally, WEBrick::HTTPUtils.parse_header was updated to prevent forbidden characters (CR, LF, NUL) within header values. These functions are the direct runtime indicators of the vulnerability, as they are responsible for the initial parsing of the malicious, smuggled HTTP request.

Vulnerable functions

WEBrick::HTTPRequest#read_header
lib/webrick/httprequest.rb
The `read_header` function was modified to only accept CRLF as a line terminator, whereas before it accepted either CRLF or a lone LF. This inconsistent interpretation of HTTP header terminators allowed attackers to craft requests that would be interpreted differently by a proxy server and by WEBrick, leading to HTTP Request Smuggling.
WEBrick::HTTPRequest#read_request_line
lib/webrick/httprequest.rb
The `read_request_line` function's regex was changed to enforce a stricter requirement for CRLF (`\r\n`) at the end of the request line and to only allow a single space between elements. Previously, it allowed for more lenient spacing and an optional CR, which contributed to the inconsistent parsing that enables request smuggling.
WEBrick::HTTPUtils.parse_header
lib/webrick/httputils.rb
The `parse_header` function in `HTTPUtils` was vulnerable due to its lenient regex for parsing header fields. The updated regex now strictly requires CRLF line endings and disallows null bytes, CR, or LF characters within the header value itself. The previous implementation could misinterpret header boundaries, a key component of the request smuggling vulnerability.

WAF Protection Rules

WAF Rule

Ru*y W**ri*k r***_*****r *TTP R*qu*st Smu**lin* Vuln*r**ility. T*is vuln*r**ility *llows r*mot* *tt**k*rs to smu**l* *r*itr*ry *TTP r*qu*sts on *****t** inst*ll*tions o* Ru*y W**ri*k. T*is issu* is *xploit**l* w**n t** pro*u*t is **ploy** ***in* *n *

Reasoning

T** vuln*r**ility *xists *u* to in*onsist*nt p*rsin* o* *TTP r*qu*st lin* *n* *****r t*rmin*tors in t** W**ri*k li*r*ry. T** *or* o* t** issu* li*s in t** ***t t**t W**ri*k w*s mor* l*ni*nt t**n m*ny proxy s*rv*rs, ****ptin* * lon* Lin* **** (L*) *s