CVE-2020-25613: Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling)

October 6, 2020 (updated January 15, 2021)

An issue was discovered in Ruby WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.

References

nvd.nist.gov/vuln/detail/CVE-2020-25613
www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/

Code Behaviors & Features

Detect and mitigate CVE-2020-25613 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →