Skip to content

Security Vulnerability: Remove or make WEBrick dependency optional due to CVE-2026-38969 #599

Description

@piyush-novatro

Description

The ferrum gem currently relies on webrick as a hard runtime dependency in its gemspec. Because webrick was extracted from the Ruby standard library, it receives fewer updates and has recently been hit with a security vulnerability that forces automated bundle security audits (like bundler-audit or Dependabot) to fail.

Running security checks against a project using ferrum now throws the following vulnerability warning:

Name: webrick
Version: 1.9.2
CVE: CVE-2026-38969
GHSA: GHSA-h4w6-wx8r-p68v
Criticality: Unknown
URL: https://nvd.nist.gov/vuln/detail/CVE-2026-38969
Title: ruby webrick through v1.9.2 WEBrick reparses trailer
Solution: remove or disable this gem until a patch is available!

Why this is a problem

Because webrick is a hard dependency of ferrum, downstream users of ferrum and cuprite cannot simply delete or exclude webrick from their projects without breaking Bundler resolution. This blocks CI/CD pipelines that enforce strict security audit checks.

Suggested Solutions

  1. Make WEBrick an Optional Dependency: Remove spec.add_dependency "webrick" from ferrum.gemspec. Instead, wrap the internal proxy initialization in a lazy-load check:

    begin
      require "webrick"
    rescue LoadError
      raise "Please add `gem 'webrick'` to your Gemfile to use Ferrum's proxy/request interception features."
    end

    This ensures standard browser interaction testing doesn't bundle the vulnerable gem by default.

  2. Migrate away from WEBrick: Refactor the internal proxy server to use a modern, actively maintained and secure alternative (like a minimal rack-compatible server setup or async-http).

Are the maintainers open to a Pull Request implementing option 1 to unblock downstream security audits?

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions