Skip to content

Remove webrick advisories CVE-2024-47220 and CVE-2026-38969#1164

Merged
jasnow merged 1 commit into
rubysec:masterfrom
hsbt:remove-webrick-advisories
Jul 10, 2026
Merged

Remove webrick advisories CVE-2024-47220 and CVE-2026-38969#1164
jasnow merged 1 commit into
rubysec:masterfrom
hsbt:remove-webrick-advisories

Conversation

@hsbt

@hsbt hsbt commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

I maintain ruby/webrick and I oversee vulnerability handling for the Ruby core team. WEBrick is a toolkit for testing and local development, not a production web server, as documented in the rdoc of lib/webrick.rb since ruby/webrick@d91c985 in 2020. CVE-2024-47220 and CVE-2026-38969 were assigned without any involvement of the maintainers, and neither is a vulnerability within that documented scope. A rejection request for CVE-2026-38969 has been filed with MITRE and is pending. See ruby/webrick#198.

Because webrick is a common test dependency, these records make bundler-audit flag countless applications that never expose WEBrick to untrusted traffic, and developers keep wasting time on scan results with no security meaning. That harms the Ruby ecosystem and undermines trust in bundler-audit itself. This PR deletes the two advisory files and adds both IDs to lib/rad-ignores.sh so the GHSA sync does not recreate them, following docs/external-data-improvements.md. Other webrick advisories are untouched.

cc @flavorjones

Both CVEs were assigned without any involvement of the WEBrick
maintainers, and WEBrick's documented scope has excluded production
deployment since 2020. The records generate false positives in
bundler-audit for applications that depend on webrick only in test
environments. Both IDs are added to lib/rad-ignores.sh so the GHSA
sync does not recreate the files. A rejection request for
CVE-2026-38969 has been filed with MITRE and is pending.

ruby/webrick@d91c985
ruby/webrick#198
Copilot AI review requested due to automatic review settings July 10, 2026 09:13

This comment was marked as low quality.

@jasnow jasnow merged commit a384350 into rubysec:master Jul 10, 2026
2 checks passed
@simi

simi commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

✅ just for the protocol

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants