HTTP Request Smuggling Affecting iodine package, versions <0.7.39
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-IODINE-569134
- published 8 Jun 2020
- disclosed 18 May 2020
- credit Sam Sanoop of Snyk Security Team
How to fix?
Upgrade iodine to version 0.7.39 or higher.
Overview
iodine is a fast HTTP / Websocket Server with built-in Pub/Sub support (with or without Redis), static file support and many other features, optimized for Ruby MRI on Linux / BSD / macOS.
Affected versions of this package are vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Content-Length and Transfer encoding header parsing.
It could be possible to conduct HTTP request smuggling attacks where iodine is used as part of a chain of backend servers due to insufficient Content-Length and Transfer Encoding parsing.