{"id":"CVE-2020-7670","details":"agoo prior to 2.14.0 allows request smuggling attacks where agoo is used as a backend and a frontend proxy also being vulnerable. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Content-Length and Transfer encoding header parsing. It is possible to conduct HTTP request smuggling attacks where `agoo` is used as part of a chain of backend servers due to insufficient `Content-Length` and `Transfer Encoding` parsing.","modified":"2026-04-11T13:53:27.071419Z","published":"2020-06-10T16:15:10.540Z","related":["SNYK-RUBY-AGOO-569137"],"references":[{"type":"ADVISORY","url":"https://snyk.io/vuln/SNYK-RUBY-AGOO-569137"},{"type":"REPORT","url":"https://github.com/ohler55/agoo/issues/88"},{"type":"FIX","url":"https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ohler55/agoo","events":[{"introduced":"0"},{"last_affected":"9c0a5c71f16ef62009e302414a15a32e42ca19db"},{"fixed":"23d03535cf7b50d679a60a953a0cae9519a4a130"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.12.3"}]}}],"versions":["v0.9.0","v0.9.1","v1.0.0","v1.1.0","v1.1.1","v1.1.2","v1.2.0","v1.2.1","v1.2.2","v2.0.0","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.1.0","v2.1.1","v2.1.3","v2.10.0","v2.11.0","v2.11.1","v2.11.2","v2.11.3","v2.11.4","v2.11.5","v2.11.6","v2.11.7","v2.12.0","v2.12.1","v2.12.2","v2.12.3","v2.13.0","v2.2.0","v2.2.1","v2.2.2","v2.3.0","v2.4.0","v2.5.0","v2.5.1","v2.5.5","v2.5.6","v2.5.7","v2.6.0","v2.6.1","v2.7.0","v2.8.0","v2.8.1","v2.8.2","v2.8.3","v2.8.4","v2.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-7670.json","vanir_signatures":[{"target":{"file":"ext/agoo/request.c","function":"request_env"},"signature_version":"v1","id":"CVE-2020-7670-0665e8b1","deprecated":false,"signature_type":"Function","source":"https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130","digest":{"length":1333,"function_hash":"35247422001380630584406346398931429283"}},{"target":{"file":"ext/agoo/server.c","function":"listen_loop"},"signature_version":"v1","id":"CVE-2020-7670-1412b4c3","deprecated":false,"signature_type":"Function","source":"https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130","digest":{"length":2641,"function_hash":"197527120151401954070768136491744829112"}},{"target":{"file":"ext/agoo/con.c","function":"con_header_read"},"signature_version":"v1","id":"CVE-2020-7670-1e018334","deprecated":false,"signature_type":"Function","source":"https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130","digest":{"length":5466,"function_hash":"37089507596107008691338219303026802290"}},{"target":{"file":"ext/agoo/request.c","function":"add_header_value"},"signature_version":"v1","id":"CVE-2020-7670-2815c76a","deprecated":false,"signature_type":"Function","source":"https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130","digest":{"length":969,"function_hash":"224311398308155682763085616354427762811"}},{"target":{"file":"ext/agoo/req.h"},"signature_version":"v1","id":"CVE-2020-7670-29152ea4","deprecated":false,"signature_type":"Line","source":"https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130","digest":{"threshold":0.9,"line_hashes":["285140162963638803019077007719498113996","207668436712517809079038686968444708385","193720274636039262281677985724246349996","205824730470354897129319279126430959188","56064582431734072046667001212915391661"]}},{"target":{"file":"ext/agoo/con.c"},"signature_version":"v1","id":"CVE-2020-7670-5987e325","deprecated":false,"signature_type":"Line","source":"https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130","digest":{"threshold":0.9,"line_hashes":["15060422972661983163948658502202019250","314193017542263085322055585292899682989","57889701046833191719981896685341928302","195029102782401644232699996546924113725","140491025627404970681151068508998711774","325492328904178052345633875945961830854","33880785326589810755435713807536680002","252791491413767853323221639488031407232"]}},{"target":{"file":"ext/agoo/con.h"},"signature_version":"v1","id":"CVE-2020-7670-8f16ac5d","deprecated":false,"signature_type":"Line","source":"https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130","digest":{"threshold":0.9,"line_hashes":["115210966930340422456005478377963616616","273120549992224863258354349698010097693","158605749819223894077068644078849491387","4885844487322698144472475210751352945","209355656808285667661485649630801677917"]}},{"target":{"file":"ext/agoo/websocket.c","function":"agoo_ws_create_req"},"signature_version":"v1","id":"CVE-2020-7670-92969b73","deprecated":false,"signature_type":"Function","source":"https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130","digest":{"length":1107,"function_hash":"206350082267776496855612115095346295812"}},{"target":{"file":"ext/agoo/server.c"},"signature_version":"v1","id":"CVE-2020-7670-a57e7c44","deprecated":false,"signature_type":"Line","source":"https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130","digest":{"threshold":0.9,"line_hashes":["332634221425284809288148109520618530888","86947899483443558833165556156352998393","286737267692981333614491569625328658202","184640852462178421675652028696019687565","288431788791673036326189263812731002711"]}},{"target":{"file":"ext/agoo/http.c"},"signature_version":"v1","id":"CVE-2020-7670-bb0251a3","deprecated":false,"signature_type":"Line","source":"https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130","digest":{"threshold":0.9,"line_hashes":["322388504200938255748593317710422410436","148435175035376347927357662772214289094","145952662655245660728660273468620601281","142792505593306961970573065795535524635","144819719229374109236239858145614447443","183990719311219233238370535323215605331","257114553474805847202167582538500446713","223716786887693474658927890529644414760","139127352568816567870962594315456725549","124130266117619058014478704768971878187","137770213168000126539446342016162281307","232355888315589476321087980966773434863","322237325836739335068590647652499420955","46063599650865844967068742030723982887","146718839595191387649406861267909082012","277954976833403470737840433317920520762","289610918637091106997881249301588482418","326997372068098185455216374182123130090","221729705736896397207475714224437526309","221343037804164586989119254387514474420","193605338798930116878185437976114757592","324190219186007124646707566714629517523","168800463467431958646033237749196709248","213669877942803426726734799482885983745","289981459130750993820421020072725982241","251225182075127551834960840709562057835","166272255769783065970306287060357045173","139223711132986057857678947037613274268","110582798831977584791998723761188369022","112348030349739950811235131679472582829","333267187300372548199754176550780833553","47500203947543415017061446751228869024","127774214014437810390635584659538079901","204031884482134527961630610679408097676","309735474971447048735027849723183584752","243012019670381410097314506508655905842","117470482213942205893919787899971295790","324953189504671661893956910764005811676","200543642484595048736203579497414189010","108251999269029246570397187232069275894","10082954785797818178353928612819853840","30894395330116487914034709409325475741","248459640997421723839225599265167052628","29230960447030923194131834231317932899","118304442034382920884250066593335993012","79891845740728428628231424572577252806","140240521155677582953660886544599100472","212119500509052573991180336460225243190","122703885855614020812589568773135125243","211799906761326036148612017867360666433","217373447166761348273509114009846280702","14743418761280137569845459004905843921","217735011987729873095874619708510445350","193401294407096709101040471770965685354","307920966078354295973738430961767532787","156991101564689342369126765122753574488","99142168011874145983611519465857469977","245953601118675344535563344107025863862","270865335196069272443945598668785227636","21022857159335062989595862078230979773","254422518879582568919916801074249165356","206032952595938227749419015530084015734","337115402309297297352774506451487710945","258818417566063593783968942837176521518","235176705320112182704805161434072006783","303349645723452989487009819577657975053","140841838368418383563932888647682555683","192205447906180511924920191104251093602","61525415404346314062011176361781978378","45234791700314817016252061511696039486","315471867317332467515824289872878838890","170293717423946292738400699745561168071","99074866796746784840180901913588090953","130966640853770657303137234350951614674","6302596616958268513111173622314328539","80569394961597435788549323553874351354","133980858097413227739842781576358615328","204464810360631460961811881781610157805","294180750659343469753522055472564021332","203014153417825536390482688022849881095","197086721101946178007794206345010309321","302875678947994512027968510107741002259","234710523268330489917955754110055035347","304938858422009801110429051751818472009","234361804395442036318313626746322138536","11018670964645366083474518650383216779","46905366464351620420509846739117255942","291627817045391289363286517394816194909","57216710607720428076493498094996860059","61026475739042313664762842868860064841","84345624359225989531836067542713134120","241232805767650800038897789370145957867","198220581918127148087815207651109065620","119374297298863881096944527316196107855","282090847717267092956891984715095262488","313381057238410290370440137949181850025","248827357447316615470316769143348935743","302286741056290819819708000709595984126","70154037719392706173304668720086804465","264415624999075597257727428458301896931","288832931824609350556278027202025698554","29024457025254200126952008320362626009","54971798650668094426126808398270024430","196465156726758819602914271949980883564","225039095886396951391692535653002436213","323809011436865123763672194750642673614","238621835790329258276630946835860407899","242580534461765572423807577077735143165","126276595251548648119446166972483738939","80328586585701371965131463717974365074","323056612856791622627863955360061851193","279553379197807501636929381031189029988","319819740005952186618430997481453765103","253887835176777216887982711593604329224","108399171963718805282634822499018513940","119300345786536578886048816174582450066","308060805162315717645154489856380051373","60764279168899152447348043218344107320","168400098208925958539584031379315783594","116857811117167718750733714047567062423","57923324960902180741797162298781993610","180498643742928312901075075073778132201","321601266486603250981988446690948527584","74011690642455388341586937545741171942","30845235065374180837736941557410292668","304440798732188031233865529815820159014","259684408521843657082953545394874403318","118664254293813164283132498644840131041","130342633744088732142828164695330419001","246667924816122687149120889062509451601","262942445187402547899039323446128670023","108700754649089318306317050733832448544","23209304783936126256319972039890320067","322961795274157045517582520495425258308","219785300177963816243117649713916619386","190986268749910703897677256728819134415","2472573049184265184232626842970153708","212083626230640559972911024626954426867","144555011811455526766001293626709922692","27518304318534818329325433469854482071","120530064879485441876110973585545442764","27063258604941398366497867024364769631","125731083647241915037400394920568940790","241633517977778137809445890151578869403","118440069187563584884939061592100902360","35193189932594463861153634636990375931","194796188010389764699467952414518652236","33696204846395684853467959060266669902","83117235980437314459979408497160200591","316801857220663031392225460298245239805","262465579695203609277006735777457547085"]}},{"target":{"file":"ext/agoo/request.c"},"signature_version":"v1","id":"CVE-2020-7670-c82c95f6","deprecated":false,"signature_type":"Line","source":"https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130","digest":{"threshold":0.9,"line_hashes":["302709718064030321723529510144499735213","45458052198506484407876528200179490655","210579165986079447798464515027754024974","166732415408301782675507561190551363333","283590569402242962373409832258717683900","232445697665576861955241322520975817618","132302328044921796859853663194898151052","267131754990366882718361982537081710647","206151427131175406188310033316123151770","32160355953213992418656939640109469884","19597629368519581319065856382876845467","34011986965705279344685138179161182160","182801256186400800621303781400491562827","60578270266611599548322230237835449521","230971356127873069878942023805848336909","211130140224476071525288204070655796184","220461806251093538673843657366661150889","72609320053568062842240832519139644984","308060298780414816360046931881632610943","46376348591748620328094755391627486579","224250451364845644384447617138067514748","211702996716192179008245909838522384583","182727720241184216265983290610712915524","31286030767830954704787360404592100193","84956223263970518613739386234969154176","191611097216934468532444862090214439742","171838735074713109644240199183718410581","117227613314776336086457000712640020839","174682699695210252479630495743029632312","180670589201960725906995745544323017304","67598643570542858504143912711118843011","225816264801722859017452610490834330402","305236576784483451172483772526848525693","116660597921019433867038397195032842143","314914200569416476177719062655168538082","156618419229270942795924073997949348805"]}},{"target":{"file":"ext/agoo/websocket.c"},"signature_version":"v1","id":"CVE-2020-7670-f6777730","deprecated":false,"signature_type":"Line","source":"https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130","digest":{"threshold":0.9,"line_hashes":["291481138560449124437630911938378075955","167305426740404834461632889194038790323","228952497681971611932544019724116805620","76138736780225617961823046183499605354"]}},{"target":{"file":"ext/agoo/con.c","function":"agoo_con_create"},"signature_version":"v1","id":"CVE-2020-7670-f67c5d50","deprecated":false,"signature_type":"Function","source":"https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130","digest":{"length":391,"function_hash":"250106398637481963174062012948296612995"}},{"target":{"file":"ext/agoo/request.c","function":"request_init"},"signature_version":"v1","id":"CVE-2020-7670-f899af3b","deprecated":false,"signature_type":"Function","source":"https://github.com/ohler55/agoo/commit/23d03535cf7b50d679a60a953a0cae9519a4a130","digest":{"length":4268,"function_hash":"241473801653258120840635189491838194722"}}],"vanir_signatures_modified":"2026-04-11T13:53:27Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}