CVE-2020-25613
First published: Tue Sep 29 2020(Updated: )
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-ruby25-ruby | <0:2.5.9-9.el7 | 0:2.5.9-9.el7 |
| redhat/rh-ruby27-ruby | <0:2.7.3-129.el7 | 0:2.7.3-129.el7 |
| redhat/rh-ruby26-ruby | <0:2.6.7-119.el7 | 0:2.6.7-119.el7 |
| redhat/rubygem-webrick | <1.6.1 | 1.6.1 |
| redhat/ruby | <2.5.9 | 2.5.9 |
| redhat/ruby | <2.6.7 | 2.6.7 |
| redhat/ruby | <2.7.2 | 2.7.2 |
| rubygems/webrick | <1.6.1 | 1.6.1 |
| Ruby-lang Ruby | <=2.5.8 | |
| Ruby-lang Ruby | >=2.6.0<=2.6.6 | |
| Ruby-lang Ruby | >=2.7.0<=2.7.1 | |
| Ruby-lang Webrick Ruby | <=1.6.0 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-25613 https://nvd.nist.gov/vuln/detail/CVE-2020-25613 https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
- https://bugzilla.redhat.com/show_bug.cgi?id=1883623
- https://access.redhat.com/errata/RHSA-2021:2584
- https://access.redhat.com/errata/RHSA-2021:2587
- https://access.redhat.com/errata/RHSA-2021:2588
- https://access.redhat.com/errata/RHSA-2022:0581
- https://access.redhat.com/errata/RHSA-2022:0582
- https://access.redhat.com/errata/RHSA-2021:2104
- https://access.redhat.com/errata/RHSA-2021:2229
- https://access.redhat.com/errata/RHSA-2021:2230
- https://access.redhat.com/security/cve/cve-2020-25613
- https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7
- https://hackerone.com/reports/965267
- https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFP3E7KXXT3H3KA6CBZPUOGA5VPFARRJ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTZURYROG3FFED3TYCQOBV66BS4K6WOV/
- https://security.netapp.com/advisory/ntap-20210115-0008/
- https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1883624
- https://www.ruby-lang.org/en/news/2020/10/02/ruby-2-7-2-released/
- https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-6-7-released/
- https://www.ruby-lang.org/en/news/2021/04/05/ruby-2-5-9-released/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PFP3E7KXXT3H3KA6CBZPUOGA5VPFARRJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTZURYROG3FFED3TYCQOBV66BS4K6WOV/
- https://security.gentoo.org/glsa/202401-27
- https://nvd.nist.gov/vuln/detail/CVE-2020-25613
- https://github.com/ruby/webrick/commit/076ac636bf48b7a492887ce4de7041de23e6c00d
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/webrick/CVE-2020-25613.yml
- https://github.com/advisories/GHSA-gwfg-cqmg-cf8f (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2020-25613?
The severity of CVE-2020-25613 is high.
How does CVE-2020-25613 affect Ruby versions?
CVE-2020-25613 affects Ruby versions 2.5.8 through 2.5.9, 2.6.0 through 2.6.6, and 2.7.0 through 2.7.1.
What is WEBrick?
WEBrick is a simple HTTP server bundled with Ruby.
What is HTTP request smuggling?
HTTP request smuggling is a vulnerability that allows an attacker to bypass security measures in reverse proxies by sending specially crafted requests that are interpreted differently by the proxy and the server handling the request.
How can I fix CVE-2020-25613?
To fix CVE-2020-25613, upgrade Ruby to version 2.5.9, 2.6.7, or 2.7.2, or apply the appropriate patches provided by your distribution.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/severity
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-25613
- agent/software-canonical-lookup
- agent/description
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-gwfg-cqmg-cf8f
- agent/references
- agent/event
- collector/github-advisory
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- package-manager/redhat
- package-manager/rubygems
- vendor/ruby-lang
- canonical/ruby-lang ruby
- version/ruby-lang ruby/2.5.8
- version/ruby-lang ruby/2.6.0
- version/ruby-lang ruby/2.6.6
- version/ruby-lang ruby/2.7.0
- version/ruby-lang ruby/2.7.1
- canonical/ruby-lang webrick ruby
- version/ruby-lang webrick ruby/1.6.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33