{"id":"CVE-2020-25613","details":"An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.","aliases":["BIT-ruby-2020-25613","BIT-ruby-min-2020-25613","GHSA-gwfg-cqmg-cf8f"],"modified":"2026-04-10T04:25:12.211729Z","published":"2020-10-06T13:15:13.823Z","related":["ALSA-2021:2584","ALSA-2021:2587","ALSA-2021:2588","MGASA-2020-0423","MGASA-2020-0440","SUSE-SU-2021:0933-1","SUSE-SU-2021:3837-1","openSUSE-SU-2021:0471-1","openSUSE-SU-2024:11310-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PFP3E7KXXT3H3KA6CBZPUOGA5VPFARRJ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTZURYROG3FFED3TYCQOBV66BS4K6WOV/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202401-27"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210115-0008/"},{"type":"ADVISORY","url":"https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/"},{"type":"REPORT","url":"https://hackerone.com/reports/965267"},{"type":"FIX","url":"https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/ruby","events":[{"introduced":"0"},{"last_affected":"4992d9fd706a9cbe98c4b94e2dbcfc10e317e091"},{"introduced":"c1af7b1e1d408f9796a5f46c9ed36bc5adea4aa2"},{"last_affected":"27958c2bd64b27d529f81a130bd488ccc6b9b1d4"},{"introduced":"647ee6f091eafcce70ffb75ddf7e121e192ab217"},{"last_affected":"a0c7c23c9cec0d0ffcba012279cd652d28ad5bf3"},{"introduced":"0"},{"last_affected":"b7b94c375fa2f5ee48c41b4310e501d6cb479c9c"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.5.8"},{"introduced":"2.6.0"},{"last_affected":"2.6.6"},{"introduced":"2.7.0"},{"last_affected":"2.7.1"},{"introduced":"0"},{"last_affected":"1.6.0"}]}},{"type":"GIT","repo":"https://github.com/ruby/webrick","events":[{"introduced":"0"},{"fixed":"8946bb38b4d87549f0d99ed73c62c41933f97cc7"}]}],"versions":["v1.4.0","v1.4.0.beta1","v1.4.1","v1.4.2","v1.5.0","v1.6.0","v1_0_r2","v1_6_0","v2_5_8","v2_6_6","v2_7_0","v2_7_1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"32"}]},{"events":[{"introduced":"0"},{"last_affected":"33"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-25613.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}