CVE-2024-47220

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions WEBrick toolkit versions through 1.8.1

Description An issue was discovered in the WEBrick toolkit for Ruby, allowing HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header. This can be achieved, for example, by including "GET /admin HTTP/1.1r " inside a "POST /user HTTP/1.1r " request. The supplier's position is that WEBrick should not be used in production.

Recommendations For WEBrick toolkit versions through 1.8.1, consider disabling the use of both Content-Length and Transfer-Encoding headers in HTTP requests as a temporary workaround until a patch is available. Restrict access to sensitive areas of the application to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

BDU:2025-10615

CVE-2024-47220

GHSA-6F62-3596-G6W7

MGASA-2024-0348

OESA-2024-2226

OESA-2024-2247

OPENSUSE-SU-2025_0736-1

OPENSUSE-SU-2025_1369-1

SUSE-SU-2024:3939-1

SUSE-SU-2024_3939-1

SUSE-SU-2025:0736-1

SUSE-SU-2025:1369-1

SUSE-SU-2025:4264-1

SUSE-SU-2025_0736-1

SUSE-SU-2025_1369-1

USN-7057-1

USN-7057-2

USN-7840-1

Affected Products

Debian

Linuxmint

Red Os

Suse

Ubuntu

Webrick

CVE-2024-47220

Weakness Enumeration

Related Identifiers

Affected Products

References · 74