Remove webrick advisories CVE-2024-47220 and CVE-2026-38969#1164
Merged
Conversation
Both CVEs were assigned without any involvement of the WEBrick maintainers, and WEBrick's documented scope has excluded production deployment since 2020. The records generate false positives in bundler-audit for applications that depend on webrick only in test environments. Both IDs are added to lib/rad-ignores.sh so the GHSA sync does not recreate the files. A rejection request for CVE-2026-38969 has been filed with MITRE and is pending. ruby/webrick@d91c985 ruby/webrick#198
jasnow
approved these changes
Jul 10, 2026
Contributor
|
✅ just for the protocol |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I maintain ruby/webrick and I oversee vulnerability handling for the Ruby core team. WEBrick is a toolkit for testing and local development, not a production web server, as documented in the rdoc of
lib/webrick.rbsince ruby/webrick@d91c985 in 2020. CVE-2024-47220 and CVE-2026-38969 were assigned without any involvement of the maintainers, and neither is a vulnerability within that documented scope. A rejection request for CVE-2026-38969 has been filed with MITRE and is pending. See ruby/webrick#198.Because
webrickis a common test dependency, these records makebundler-auditflag countless applications that never expose WEBrick to untrusted traffic, and developers keep wasting time on scan results with no security meaning. That harms the Ruby ecosystem and undermines trust inbundler-audititself. This PR deletes the two advisory files and adds both IDs tolib/rad-ignores.shso the GHSA sync does not recreate them, followingdocs/external-data-improvements.md. Other webrick advisories are untouched.cc @flavorjones