RubySec

Providing security resources for the Ruby community

CVE-2024-47220 (webrick): HTTP Request Smuggling in ruby webrick

ADVISORIES

GEM

webrick

SEVERITY

CVSS v3.x: 7.5 (High)

PATCHED VERSIONS

  • >= 1.8.2

DESCRIPTION

An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request.

NOTE: the supplier''s position is "Webrick should not be used in production."

RELATED