VYPR
← All advisories
High severityOSV Advisory· Published Sep 22, 2024· Updated Apr 15, 2026

CVE-2024-47220

CVE-2024-47220

Description

An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production."

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

WEBrick through 1.8.1 allows HTTP request smuggling via conflicting Content-Length and Transfer-Encoding headers.

Vulnerability

Details

CVE-2024-47220 describes an HTTP request smuggling vulnerability in the WEBrick HTTP server toolkit for Ruby, affecting versions through 1.8.1 [1]. The root cause is improper handling of HTTP requests that include both a Content-Length header and a Transfer-Encoding header. An attacker can craft a request that embeds a smuggled request (e.g., GET /admin HTTP/1.1\r\n) inside a benign-looking request (e.g., POST /user HTTP/1.1\r\n) [1]. This is a classic request smuggling scenario where the server parses the request boundaries differently than intended.

Exploitation

To exploit this vulnerability, an attacker sends an HTTP request with both headers to a WEBrick server. The server's parsing logic may interpret the message length based on one header while another part of the logic uses the other, leading to desynchronization [2]. The attack does not require authentication and can be performed from any network position that can reach the WEBrick server [1]. The smuggled request is often directed at a protected resource or endpoint that would otherwise be restricted.

Impact

Successful exploitation allows an attacker to bypass access controls, poison web caches, or perform actions under a different user's session [1]. For example, an attacker could access an administrative endpoint (/admin) that is normally not exposed directly. The impact depends on the server's configuration and the protected resources behind it.

Mitigation

The WEBrick developers have addressed this issue in a pull request [2]. Users should upgrade to WEBrick version 1.8.2 or later [4]. However, the official supplier's position is that WEBrick should not be used in production environments [1]. For production use, a more robust HTTP server such as Puma or Unicorn is recommended.

References
  1. NVD - CVE-2024-47220
  2. Prevent request smuggling by jeremyevans · Pull Request #146 · ruby/webrick
  3. ruby-advisory-db/gems/webrick/CVE-2024-47220.yml at master · rubysec/ruby-advisory-db

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
webrickRubyGems
< 1.8.21.8.2

Affected products

39

Patches

1
f5faca922254

Prevent request smuggling

https://github.com/ruby/webrickJeremy EvansSep 18, 2024via ghsa
commit
2 files changed · +22 0
  • lib/webrick/httprequest.rb+4 0 modified
    @@ -531,6 +531,10 @@ def parse_host_request_line(host)
     def read_body(socket, block)
       return unless socket
       if tc = self['transfer-encoding']
+        if self['content-length']   
+          raise HTTPStatus::BadRequest, "request with both transfer-encoding and content-length, possible request smuggling"
+        end
+
         case tc
         when /\Achunked\z/io then read_chunked(socket, block)
         else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}."
  • test/webrick/test_httprequest.rb+18 0 modified
    @@ -219,6 +219,24 @@ def test_duplicate_content_length_header
     }
   end
 
+  def test_content_length_and_transfer_encoding_headers_smuggling
+    msg = <<~HTTP.gsub("\n", "\r\n")
+      POST /user HTTP/1.1
+      Content-Length: 28
+      Transfer-Encoding: chunked
+
+      0
+
+      GET /admin HTTP/1.1
+
+    HTTP
+    req = WEBrick::HTTPRequest.new(WEBrick::Config::HTTP)
+    req.parse(StringIO.new(msg))
+    assert_raise(WEBrick::HTTPStatus::BadRequest){
+      req.body
+    }
+  end
+
   def test_parse_headers
     msg = <<~HTTP.gsub("\n", "\r\n")
       GET /path HTTP/1.1

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.