Puma HTTP Request/Response Smuggling vulnerability

Impact

Prior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies.

Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.

Patches

The vulnerability has been fixed in 6.4.2 and 5.6.8.

Workarounds

No known workarounds.

References

HTTP Request Smuggling
Open an issue in Puma
See our security policy

References

nateberkopec published to puma/puma Jan 8, 2024

Published by the National Vulnerability Database Jan 8, 2024

Published to the GitHub Advisory Database Jan 8, 2024

Reviewed Jan 8, 2024

Last updated Jan 9, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Weaknesses

CVE ID

GHSA ID

Source code

Credits