DEBIAN-CVE-2025-6442

DEBIAN-CVE-2025-6442 PUBLISHED CVSS 5.900000095367432 MEDIUM

Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions. The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876.

Risk Scores

CVSS 3.1

5.900000095367432

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected Products

Vendor	Product	Versions
Debian:13	ruby-webrick	0, 0
Debian:12	ruby-webrick	1.8.1-1, 1.9.2-1, 1.9.1-1
Debian:14	ruby-webrick	0, 0

Exploit Intelligence

CVE-2025-6442.yml (github-poc)
.bundler-audit.yml (github-poc)
macos_v2_generated.go (github-poc)
macos_v1_generated.go (github-poc)

Timeline

Jun 25, 2025 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2025-6442 advisory

Open in Interactive Console →