Skip to content

webrick-1.8.1.gem: 2 vulnerabilities (highest severity is: 8.7) [main] #54

Description

@renovate
📂 Vulnerable Library - webrick-1.8.1.gem

WEBrick is an HTTP server toolkit that can be configured as an HTTPS server, a proxy server, and a virtual-host server.

Library home page: https://rubygems.org/gems/webrick-1.8.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /vendor/cache/webrick-1.8.1.gem

Findings

Finding Severity 🎯 CVSS Exploit Maturity EPSS Library Type Fixed in Remediation Available
CVE-2024-47220 🔴 High 8.7 Not Defined < 1% webrick-1.8.1.gem Direct N/A
CVE-2025-6442 🔴 High 8.3 Not Defined < 1% webrick-1.8.1.gem Direct webrick - 1.8.2,https://github.com/ruby/webrick.git - v1.8.2

Details

🔴CVE-2024-47220

Vulnerable Library - webrick-1.8.1.gem

WEBrick is an HTTP server toolkit that can be configured as an HTTPS server, a proxy server, and a virtual-host server.

Library home page: https://rubygems.org/gems/webrick-1.8.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /vendor/cache/webrick-1.8.1.gem

Dependency Hierarchy:

  • webrick-1.8.1.gem (Vulnerable Library)

  • google-cloud-storage-1.45.0.gem (Root Library)

    • google-apis-iamcredentials_v1-0.17.0.gem
      • google-apis-core-0.11.2.gem
        • webrick-1.8.1.gem (Vulnerable Library)

Vulnerability Details

An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production."

Publish Date: Sep 22, 2024 12:00 AM

URL: CVE-2024-47220

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7


Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🔴CVE-2025-6442

Vulnerable Library - webrick-1.8.1.gem

WEBrick is an HTTP server toolkit that can be configured as an HTTPS server, a proxy server, and a virtual-host server.

Library home page: https://rubygems.org/gems/webrick-1.8.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /vendor/cache/webrick-1.8.1.gem

Dependency Hierarchy:

  • webrick-1.8.1.gem (Vulnerable Library)

  • google-cloud-storage-1.45.0.gem (Root Library)

    • google-apis-iamcredentials_v1-0.17.0.gem
      • google-apis-core-0.11.2.gem
        • webrick-1.8.1.gem (Vulnerable Library)

Vulnerability Details

Ruby WEBrick read_header HTTP Request Smuggling Vulnerability

Publish Date: Jun 25, 2025 04:52 PM

URL: CVE-2025-6442

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.3


Suggested Fix

Type: Upgrade version

Origin: ruby/webrick@ee60354

Release Date: Jun 22, 2025 09:00 PM

Fix Resolution : webrick - 1.8.2,https://github.com/ruby/webrick.git - v1.8.2

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions