CVE-2020-25613
Description
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2020-25613 is an HTTP request smuggling vulnerability in Ruby's WEBrick server due to improper validation of the Transfer-Encoding header.
Vulnerability
CVE-2020-25613 is an HTTP request smuggling vulnerability in WEBrick, the HTTP server toolkit bundled with Ruby. The issue arises because WEBrick did not rigorously validate the Transfer-Encoding header value [1][2]. This lax header checking allows an attacker to craft HTTP requests that are interpreted differently by WEBrick and an intermediary reverse proxy.
Exploitation
Exploitation requires a reverse proxy situated in front of the WEBrick server that also performs weak validation of the Transfer-Encoding header [1]. An attacker sends a specially crafted HTTP request where the Transfer-Encoding header is ambiguous or malformed. The proxy and WEBrick parse the request differently, enabling the attacker to 'smuggle' a second, malicious request past the proxy to be processed by WEBrick [1]. No authentication is needed to exploit this; the attack is performed over the network.
Impact
Successful exploitation results in HTTP Request Smuggling. The attacker can bypass reverse proxy controls, potentially allowing them to poison web caches, perform session hijacking, or execute cross-site scripting (XSS) attacks on users [1]. The integrity of the proxy's security boundary is compromised, and other users may be served attacker-controlled responses.
Mitigation
The vulnerability was patched by the Ruby project. Users should update WEBrick to a version containing the fix, which is included in Ruby 2.5.9, 2.6.7, 2.7.2, and later versions [1]. The fix involves stricter checking of the Transfer-Encoding header [1]. There is no mention of this CVE being listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
webrickRubyGems | >= 1.6.0, < 1.6.1 | 1.6.1 |
webrickRubyGems | >= 1.5.0, < 1.5.1 | 1.5.1 |
webrickRubyGems | < 1.4.4 | 1.4.4 |
Affected products
43- Ruby/WEBrickdescription
- osv-coords42 versionspkg:bitnami/rubypkg:bitnami/ruby-minpkg:gem/webrickpkg:rpm/almalinux/rubygem-abrtpkg:rpm/almalinux/rubygem-abrt-docpkg:rpm/almalinux/rubygem-bsonpkg:rpm/almalinux/rubygem-bson-docpkg:rpm/almalinux/rubygem-mongopkg:rpm/almalinux/rubygem-mongo-docpkg:rpm/almalinux/rubygem-mysql2pkg:rpm/almalinux/rubygem-mysql2-docpkg:rpm/almalinux/rubygem-pgpkg:rpm/almalinux/rubygem-pg-docpkg:rpm/suse/ruby2.1&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/ruby2.5&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Server%204.0
< 2.5.9+ 41 more
- (no CPE)range: < 2.5.9
- (no CPE)range: < 2.5.9
- (no CPE)range: >= 1.6.0, < 1.6.1
- (no CPE)range: < 0.4.0-1.module_el8.4.0+2399+4e3a532a
- (no CPE)range: < 0.4.0-1.module_el8.5.0+118+1ab773e1
- (no CPE)range: < 4.8.1-1.module_el8.5.0+117+35d1289b
- (no CPE)range: < 4.8.1-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 0.5.3-1.module_el8.4.0+2399+4e3a532a
- (no CPE)range: < 0.5.3-1.module_el8.5.0+118+1ab773e1
- (no CPE)range: < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.1.9-19.6.1
- (no CPE)range: < 2.5.8-4.14.1
- (no CPE)range: < 2.5.8-4.14.1
- (no CPE)range: < 2.5.8-4.14.1
- (no CPE)range: < 2.5.8-4.14.1
- (no CPE)range: < 2.5.8-4.14.1
- (no CPE)range: < 2.5.8-4.14.1
- (no CPE)range: < 2.5.8-4.14.1
- (no CPE)range: < 2.5.8-4.14.1
- (no CPE)range: < 2.5.8-4.14.1
- (no CPE)range: < 2.5.8-4.14.1
- (no CPE)range: < 2.5.8-4.14.1
- (no CPE)range: < 2.5.8-4.14.1
- (no CPE)range: < 2.5.8-4.14.1
- (no CPE)range: < 2.5.8-4.14.1
- (no CPE)range: < 2.5.8-4.14.1
Patches
48946bb38b4d8Make it more strict to interpret some headers
1 file changed · +3 −3
lib/webrick/httprequest.rb+3 −3 modified@@ -227,9 +227,9 @@ def parse(socket=nil) raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'." end - if /close/io =~ self["connection"] + if /\Aclose\z/io =~ self["connection"] @keep_alive = false - elsif /keep-alive/io =~ self["connection"] + elsif /\Akeep-alive\z/io =~ self["connection"] @keep_alive = true elsif @http_version < "1.1" @keep_alive = false @@ -508,7 +508,7 @@ def read_body(socket, block) return unless socket if tc = self['transfer-encoding'] case tc - when /chunked/io then read_chunked(socket, block) + when /\Achunked\z/io then read_chunked(socket, block) else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}." end elsif self['content-length'] || @remaining_size
076ac636bf48Make it more strict to interpret some headers
1 file changed · +3 −3
lib/webrick/httprequest.rb+3 −3 modified@@ -226,9 +226,9 @@ def parse(socket=nil) raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'." end - if /close/io =~ self["connection"] + if /\Aclose\z/io =~ self["connection"] @keep_alive = false - elsif /keep-alive/io =~ self["connection"] + elsif /\Akeep-alive\z/io =~ self["connection"] @keep_alive = true elsif @http_version < "1.1" @keep_alive = false @@ -503,7 +503,7 @@ def read_body(socket, block) return unless socket if tc = self['transfer-encoding'] case tc - when /chunked/io then read_chunked(socket, block) + when /\Achunked\z/io then read_chunked(socket, block) else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}." end elsif self['content-length'] || @remaining_size
7618049fa57dMake it more strict to interpret some headers
1 file changed · +3 −3
lib/webrick/httprequest.rb+3 −3 modified@@ -226,9 +226,9 @@ def parse(socket=nil) raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'." end - if /close/io =~ self["connection"] + if /\Aclose\z/io =~ self["connection"] @keep_alive = false - elsif /keep-alive/io =~ self["connection"] + elsif /\Akeep-alive\z/io =~ self["connection"] @keep_alive = true elsif @http_version < "1.1" @keep_alive = false @@ -503,7 +503,7 @@ def read_body(socket, block) return unless socket if tc = self['transfer-encoding'] case tc - when /chunked/io then read_chunked(socket, block) + when /\Achunked\z/io then read_chunked(socket, block) else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}." end elsif self['content-length'] || @remaining_size
af2efdcdf826Make it more strict to interpret some headers
1 file changed · +3 −3
lib/webrick/httprequest.rb+3 −3 modified@@ -226,9 +226,9 @@ def parse(socket=nil) raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'." end - if /close/io =~ self["connection"] + if /\Aclose\z/io =~ self["connection"] @keep_alive = false - elsif /keep-alive/io =~ self["connection"] + elsif /\Akeep-alive\z/io =~ self["connection"] @keep_alive = true elsif @http_version < "1.1" @keep_alive = false @@ -503,7 +503,7 @@ def read_body(socket, block) return unless socket if tc = self['transfer-encoding'] case tc - when /chunked/io then read_chunked(socket, block) + when /\Achunked\z/io then read_chunked(socket, block) else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}." end elsif self['content-length'] || @remaining_size
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
20- github.com/advisories/GHSA-gwfg-cqmg-cf8fghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PFP3E7KXXT3H3KA6CBZPUOGA5VPFARRJ/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTZURYROG3FFED3TYCQOBV66BS4K6WOV/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2020-25613ghsaADVISORY
- security.gentoo.org/glsa/202401-27ghsavendor-advisoryWEB
- github.com/ruby/webrick/commit/076ac636bf48b7a492887ce4de7041de23e6c00dghsaWEB
- github.com/ruby/webrick/commit/7618049fa57ddad2efff2a7bc7dad7d2d8a311b1ghsaWEB
- github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7ghsaWEB
- github.com/ruby/webrick/commit/af2efdcdf826f25592202d187c53963e7932e4b9ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/webrick/CVE-2020-25613.ymlghsaWEB
- hackerone.com/reports/965267ghsaWEB
- lists.debian.org/debian-lts-announce/2023/04/msg00033.htmlghsamailing-listWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PFP3E7KXXT3H3KA6CBZPUOGA5VPFARRJghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTZURYROG3FFED3TYCQOBV66BS4K6WOVghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFP3E7KXXT3H3KA6CBZPUOGA5VPFARRJghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTZURYROG3FFED3TYCQOBV66BS4K6WOVghsaWEB
- security.netapp.com/advisory/ntap-20210115-0008ghsaWEB
- www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613ghsaWEB
- security.netapp.com/advisory/ntap-20210115-0008/mitre
- www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/mitre
News mentions
0No linked articles in our index yet.