HTTP Request Smuggling Vulnerability in Ruby's WEBrick Server
CVE-2020-25613

7.5HIGH

Key Information:

Vendor: Ruby-lang
Status: Ruby; Webrick
Vendor: CVE Published:; 6 October 2020

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2020-25613?

A flaw in Ruby's bundled WEBrick HTTP server allowed inadequate validation of the transfer-encoding header. This oversight may be exploited by attackers to evade reverse proxy security measures, potentially facilitating HTTP request smuggling, which could lead to unauthorized access or malicious actions across web applications. Developers using affected Ruby versions are encouraged to update to mitigate potential security risks.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2020-25613
Created by metapox

References

https://hackerone.com/reports/965267

https://www.ruby-lang.org/en/news/2020/09/29/http-request...

https://github.com/ruby/webrick/commit/8946bb38b4d87549f0...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Mar 30, 2022
👾
Exploit known to exist
Mar 30, 2022
Vulnerability published
Oct 6, 2020
Vulnerability Reserved
Sep 16, 2020

Ruby-lang

Badges

What is CVE-2020-25613?

Exploit Proof of Concept (PoC)

References

CVSS V3.1

Timeline