CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick
Posted by mame on 29 Sep 2020
A potential HTTP request smuggling vulnerability in WEBrick was reported. This vulnerability has been assigned the CVE identifier CVE-2020-25613. We strongly recommend upgrading the webrick gem.
Details
WEBrick was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to “smuggle” a request. See CWE-444 in detail.
Please update the webrick gem to version 1.6.1 or later. You can use gem update webrick to update it. If you are using bundler, please add gem "webrick", ">= 1.6.1" to your Gemfile.
Affected versions
- webrick gem 1.6.0 or prior
- bundled versions of webrick in ruby 2.7.1 or prior
- bundled versions of webrick in ruby 2.6.6 or prior
- bundled versions of webrick in ruby 2.5.8 or prior
Credits
Thanks to piao for discovering this issue.
History
- Originally published at 2020-09-29 06:30:00 (UTC)
Recent News
Ruby 3.2.10 Released
Ruby 3.2.10 has been released.
Posted by hsbt on 14 Jan 2026
Ruby 4.0.1 Released
Ruby 4.0.1 has been released.
Posted by k0kubun on 13 Jan 2026
Ruby 4.0.0 Released
We are pleased to announce the release of Ruby 4.0.0. Ruby 4.0 introduces “Ruby Box” and “ZJIT”, and adds many improvements.
Posted by naruse on 25 Dec 2025
A New Look for Ruby's Documentation
Following the ruby-lang.org redesign, we have more news to celebrate Ruby’s 30th anniversary: docs.ruby-lang.org has a completely new look with Aliki—RDoc’s new default theme.
Posted by Stan Lo on 23 Dec 2025