VYPR
← All advisories
High severityNVD Advisory· Published Dec 9, 2008· Updated Apr 23, 2026

CVE-2008-4310

CVE-2008-4310

Description

httputils.rb in WEBrick in Ruby 1.8.1 and 1.8.5, as used in Red Hat Enterprise Linux 4 and 5, allows remote attackers to cause a denial of service (CPU consumption) via a crafted HTTP request. NOTE: this issue exists because of an incomplete fix for CVE-2008-3656.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
webrickRubyGems
< 1.3.11.3.1

Affected products

3
  • Ruby Lang/Ruby2 versions
    cpe:2.3:a:ruby-lang:ruby:1.8.1:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:ruby-lang:ruby:1.8.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ruby-lang:ruby:1.8.5:*:*:*:*:*:*:*
  • ghsa-coords
    pkg:gem/webrick
    Range: < 1.3.1

Patches

1
b2ccd5ff7ddd

* lib/webrick/httputils.rb (WEBrick::HTTPUtils#split_header_value):

https://github.com/ruby/webricknobuJul 25, 2008via ghsa
commit
1 file changed · +4 12
  • lib/webrick/httputils.rb+4 12 modified
    @@ -23,16 +23,8 @@ def normalize_path(path)
       ret = path.dup
 
       ret.gsub!(%r{/+}o, '/')                    # //      => /
-      while ret.sub!(%r{/\.(/|\Z)}o, '/'); end   # /.      => /
-      begin                                      # /foo/.. => /foo
-        match = ret.sub!(%r{/([^/]+)/\.\.(/|\Z)}o){
-          if $1 == ".."
-            raise "abnormal path `#{path}'"
-          else
-            "/"
-          end
-        }
-      end while match
+      while ret.sub!(%r'/\.(?:/|\Z)', '/'); end  # /.      => /
+      while ret.sub!(%r'/(?!\.\./)[^/]+/\.\.(?:/|\Z)', '/'); end # /foo/.. => /foo
 
       raise "abnormal path `#{path}'" if %r{/\.\.(/|\Z)} =~ ret
       ret
@@ -155,8 +147,8 @@ def parse_header(raw)
     module_function :parse_header
 
     def split_header_value(str)
-      str.scan(/((?:"(?:\\.|[^"])+?"|[^",]+)+)
-                (?:,\s*|\Z)/xn).collect{|v| v[0] }
+      str.scan(%r'\G((?:"(?:\\.|[^"])+?"|[^",]+)+)
+                    (?:,\s*|\Z)'xn).flatten
     end
     module_function :split_header_value

Vulnerability mechanics

Root cause

"Incomplete fix for CVE-2008-3656: the `split_header_value` method uses a regex with excessive backtracking, allowing a crafted HTTP header to cause catastrophic CPU consumption."

Attack vector

An attacker sends a crafted HTTP request containing a specially malformed header value that triggers catastrophic backtracking in the `split_header_value` regex [patch_id=21760]. The regex `/((?:"(?:\\.|[^"])+?"|[^",]+)+)(?:,\s*|\Z)/xn` can exhibit exponential backtracking when given a carefully constructed non-matching input. No authentication is required; the request is sent over the network to any WEBrick server listening on a TCP port.

Affected code

The vulnerability is in `lib/webrick/httputils.rb`, specifically in the `WEBrick::HTTPUtils#split_header_value` method and the `normalize_path` method [patch_id=21760]. The `split_header_value` method uses a regex scan that can exhibit catastrophic backtracking. The `normalize_path` method also contains a regex loop that could contribute to excessive CPU consumption.

What the fix does

The patch replaces the original regex in `split_header_value` with one anchored by `\G` (start-of-match continuation) and uses `flatten` instead of `collect` [patch_id=21760]. The `\G` anchor forces the scan to proceed sequentially from the end of the previous match, eliminating the backtracking that caused CPU exhaustion. Additionally, the `normalize_path` method is simplified by replacing the loop with `sub!` calls that use non-capturing groups and a negative lookahead `(?!\.\./)` to prevent matching ".." segments, reducing complexity.

Preconditions

  • configThe target must be running WEBrick from Ruby 1.8.1 or 1.8.5 (as used in Red Hat Enterprise Linux 4 and 5)
  • networkThe attacker must be able to send HTTP requests to the WEBrick server over the network
  • authNo authentication is required
  • inputThe attacker must send a crafted HTTP header value designed to trigger regex backtracking

Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.