Ruby WEBrick < 1.8.2 HTTP Request Smuggling vulnerability in Gitlab 18.2.1

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Running on RHEL 8 in FIPS mode, just upgraded gitlab-fips to 18.2.1. Nessus RHEL 8 scan post upgrade shows the following medium vulnerability on Ruby WEBrick, CVE-2025-6442:

Ruby WEBrick < 1.8.2 HTTP Request Smuggling
Description
The version of the WEBrick Ruby library installed on the remote host is prior to 1.8.2. It is, therefore, affected by an HTTP request smuggling vulnerability in the read_header. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions. The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to WEBrick version 1.8.2 or later.
See Also
http://www.nessus.org/u?824008ea
https://www.zerodayinitiative.com/advisories/ZDI-25-414/

Output

  Path              : /opt/gitlab/embedded/lib/ruby/gems/3.2.0/specifications//webrick-1.8.1.gemspec
  Installed version : 1.8.1
  Fixed version     : 1.8.2

It appears there are two versions of webrick embedded in Gitlab: where 1.8.1 has the vulnerability and 1.9.1 does not. Do we need both versions?

Is there a workaround/fix for this? I had hoped upgrading to 18.2.1 would address this, what version will it be addressed in?

Edited Aug 25, 2025 by 🤖 GitLab Bot 🤖