XSS in WEBrick (CVE-2010-0541)

A possible security vulnerability on WEBrick. The vulnerability has been reported as CVE-2010-0541.



WEBrick have had a cross-site scripting vulnerability that allows an attacker to inject arbitrary script or HTML via a crafted URI. This does not affect user agents that strictly implement HTTP/1.1, however, some user agents do not.

The affected versions are:

  • Ruby 1.8.6-p399 or any prior releases.
  • Ruby 1.8.7-p299 or any prior releases.
  • Ruby 1.9.1-p429 or any prior releases.
  • Ruby 1.9.2 RC2 or any prior releases.
  • Development versions of Ruby 1.9 (1.9.3dev).

We recommend you to upgrade your ruby to the newest patch level releases.


  • Fixes for 1.8.6, 1.8.7 and 1.9.1 are to follow this announce.
  • For development versions, please update to the most recent revision for each development branch.
  • You can also fix the vulnerability by applying a patch to
    The patch is available at
    It is written by Hirokazu NISHIO.
    466 bytes


The veulnerability was found by Apple and reported to the Ruby security team by Hideki Yamane. *1


  • Originally published at 2010-08-16 10:26:03 JST.
  • 1.9.1 patchlevel 430 released
  • 1.8.7 patchlevel 301 released
  • 1.8.7 patchlevel 302 released because pl301 was broken. Please use it instead.