Ruby/puma/2.2.2
Puma is a simple, fast, threaded, and highly parallel HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly parallel Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.
https://rubygems.org/gems/puma
UNKNOWN
24 Security Vulnerabilities
HTTP Response Splitting (Early Hints) in Puma
- https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58
- https://nvd.nist.gov/vuln/detail/CVE-2020-5249
- https://github.com/advisories/GHSA-33vf-4xgg-9r58
- https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
- https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3
- https://owasp.org/www-community/attacks/HTTP_Response_Splitting
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5249.yml
Impact
If an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting.
While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).
This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses.
Patches
This has been fixed in 4.3.3 and 3.12.4.
Workarounds
Users can not allow untrusted/user input in the Early Hints response header.
For more information
If you have any questions or comments about this advisory: * Open an issue in puma * Email us a project maintainer. Email addresses are listed in our Code of Conduct.
Puma with proxy which forwards LF characters as line endings could allow HTTP request smuggling
- https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
- https://nvd.nist.gov/vuln/detail/CVE-2021-41136
- https://github.com/advisories/GHSA-48w2-rm65-62xx
- https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f
- https://github.com/puma/puma/releases/tag/v4.3.9
- https://github.com/puma/puma/releases/tag/v5.5.1
- https://www.debian.org/security/2022/dsa-5146
- https://security.gentoo.org/glsa/202208-28
- https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2021-41136.yml
Impact
Prior to puma
version 5.5.0, using puma
with a proxy which forwards LF characters as line endings could allow HTTP request smuggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.
This behavior (forwarding LF characters as line endings) is very uncommon amongst proxy servers, so we have graded the impact here as low
. Puma is only aware of a single proxy server which has this behavior.
If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.
Patches
This vulnerability was patched in Puma 5.5.1 and 4.3.9.
Workarounds
This vulnerability only affects Puma installations without any proxy in front.
Use a proxy which does not forward LF characters as line endings.
Proxies which do not forward LF characters as line endings:
- Nginx
- Apache (>2.4.25)
- Haproxy
- Caddy
- Traefik
Possible Breakage
If you are dealing with legacy clients that want to send LF
as a line ending in an HTTP header, this will cause those clients to receive a 400
error.
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in Puma
- See our security policy
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack
- https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
- https://nvd.nist.gov/vuln/detail/CVE-2019-16770
- https://github.com/advisories/GHSA-7xx3-m584-x994
- https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2019-16770.yml
Keepalive thread overload/DoS
Impact
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack.
If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
Patches
This vulnerability is patched in Puma 4.3.1 and 3.12.2.
Workarounds
Reverse proxies in front of Puma could be configured to always allow less than X keepalive connections to a Puma cluster or process, where X is the number of threads configured in Puma's thread pool.
For more information
If you have any questions or comments about this advisory:
- Open an issue at puma.
HTTP Response Splitting in Puma
- https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
- https://nvd.nist.gov/vuln/detail/CVE-2020-5247
- https://github.com/advisories/GHSA-84j7-475p-hp8v
- https://github.com/puma/puma/commit/c36491756f68a9d6a8b3a49e7e5eb07fe6f1332f
- https://owasp.org/www-community/attacks/HTTP_Response_Splitting
- https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/
- https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5247.yml
In Puma (RubyGem) before 4.3.2 and 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. CR
, LF
or/r
, /n
) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting.
While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).
This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server.
This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.
Puma's header normalization allows for client to clobber proxy set headers
- https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
- https://nvd.nist.gov/vuln/detail/CVE-2024-45614
- https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043
- https://github.com/puma/puma/commit/f196b23be24712fb8fb16051cc124798cc84f70e
- https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-45614.yml
- https://github.com/advisories/GHSA-9hf4-67fc-4vf4
Impact
Clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users trusting headers set by their proxy may be affected. Attackers may be able to downgrade connections to HTTP (non-SSL) or redirect responses, which could cause confidentiality leaks if combined with a separate MITM attack.
Patches
v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win.
Workarounds
Nginx has a underscoresinheaders configuration variable to discard these headers at the proxy level.
Any users that are implicitly trusting the proxy defined headers for security or availability should immediately cease doing so until upgraded to the fixed versions.
Puma HTTP Request/Response Smuggling vulnerability
- https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
- https://nvd.nist.gov/vuln/detail/CVE-2024-21647
- https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93
- https://github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7
- https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d
- https://github.com/advisories/GHSA-c2f4-cvqm-65w2
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-21647.yml
Impact
Prior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies.
Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.
Patches
The vulnerability has been fixed in 6.4.2 and 5.6.8.
Workarounds
No known workarounds.
References
- HTTP Request Smuggling
- Open an issue in Puma
- See our security policy
Puma vulnerable to HTTP Request Smuggling
- https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
- https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5
- https://github.com/advisories/GHSA-h99w-9q5r-gjq9
- https://nvd.nist.gov/vuln/detail/CVE-2022-24790
- https://portswigger.net/web-security/request-smuggling
- https://www.debian.org/security/2022/dsa-5146
- https://security.gentoo.org/glsa/202208-28
- https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-24790.yml
When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma.
The following vulnerabilities are addressed by this advisory:
- Lenient parsing of Transfer-Encoding
headers, when unsupported encodings should be rejected and the final encoding must be chunked
.
- Lenient parsing of malformed Content-Length
headers and chunk sizes, when only digits and hex digits should be allowed.
- Lenient parsing of duplicate Content-Length
headers, when they should be rejected.
- Lenient parsing of the ending of chunked segments, when they should end with \r\n
.
The vulnerability has been fixed in 5.6.4 and 4.3.12. When deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.
These proxy servers are known to have good
behavior re: this standard and upgrading Puma may not be necessary. Users are encouraged to validate for themselves.
- Nginx (latest)
- Apache (latest)
- Haproxy 2.5+
- Caddy (latest)
- Traefik (latest)
Puma's Keepalive Connections Causing Denial Of Service
- https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5
- https://nvd.nist.gov/vuln/detail/CVE-2021-29509
- https://github.com/advisories/GHSA-q28m-8xjw-8vr5
- https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837
- https://github.com/puma/puma/security/policy
- https://rubygems.org/gems/puma
- https://security.gentoo.org/glsa/202208-28
- https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2021-29509.yml
This vulnerability is related to CVE-2019-16770.
Impact
The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster.
A puma
server which received more concurrent keep-alive
connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.
Patches
This problem has been fixed in puma
4.3.8 and 5.3.1.
Workarounds
Setting queue_requests false
also fixes the issue. This is not advised when using puma
without a reverse proxy, such as nginx
or apache
, because you will open yourself to slow client attacks (e.g. slowloris).
The fix is very small. A git patch is available here for those using unsupported versions of Puma.
For more information
If you have any questions or comments about this advisory:
- Open an issue in Puma.
- To report problems with this fix or to report another vulnerability, see our security policy.
Acknowledgements
Thank you to @MSP-Greg, @wjordan and @evanphx for their review on this issue.
Thank you to @ioquatix for providing a modified fork of wrk
which made debugging this issue much easier.
Puma used with Rails may lead to Information Exposure
- https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
- https://github.com/puma/puma/commit/b70f451fe8abc0cff192c065d549778452e155bb
- https://github.com/advisories/GHSA-rmj8-8hhh-gv5h
- https://nvd.nist.gov/vuln/detail/CVE-2022-23634
- https://github.com/advisories/GHSA-wh98-p28r-vrc9
- https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ?utm_medium=email&utm_source=footer&pli=1
- https://www.debian.org/security/2022/dsa-5146
- https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
- https://security.gentoo.org/glsa/202208-28
- https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-23634.yml
Impact
Prior to puma
version 5.6.2
, puma
may not always call close
on the response body. Rails, prior to version 7.0.2.2
, depended on the response body being closed in order for its CurrentAttributes
implementation to work correctly.
From Rails:
Under certain circumstances response bodies will not be closed, for example a bug in a webserver[1] or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.
The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage.
Patches
This problem is fixed in Puma versions 5.6.2 and 4.3.11.
This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
See: https://github.com/advisories/GHSA-wh98-p28r-vrc9 for details about the rails vulnerability
Upgrading to a patched Rails or Puma version fixes the vulnerability.
Workarounds
Upgrade to Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
The Rails CVE includes a middleware that can be used instead.
References
- Rails CVE: CVE-2022-23633
For more information
If you have any questions or comments about this advisory: * Open an issue in puma * See our security policy
HTTP Smuggling via Transfer-Encoding Header in Puma
- https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm
- https://nvd.nist.gov/vuln/detail/CVE-2020-11077
- https://github.com/advisories/GHSA-w64w-qqph-5gxm
- https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/
- https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-11077.yml
Impact
This is a similar but different vulnerability to the one patched in 3.12.5 and 4.3.4.
A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.
If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.
Patches
The problem has been fixed in Puma 3.12.6 and Puma 4.3.5.
For more information
If you have any questions or comments about this advisory:
- Open an issue in Puma
- See our security policy
HTTP Smuggling via Transfer-Encoding Header in Puma
- https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h
- https://nvd.nist.gov/vuln/detail/CVE-2020-11076
- https://github.com/advisories/GHSA-x7jg-6pwg-fx5h
- https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd
- https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/
- https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-11076.yml
Impact
By using an invalid transfer-encoding header, an attacker could smuggle an HTTP response.
Originally reported by @ZeddYu, who has our thanks for the detailed report.
Patches
The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.
For more information
If you have any questions or comments about this advisory:
- Open an issue in Puma
- See our security policy
Keepalive thread overload/DoS in puma
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack.
If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
HTTP Smuggling via Transfer-Encoding Header in Puma
Impact
By using an invalid transfer-encoding header, an attacker could smuggle an HTTP response.
Patches
The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.
HTTP Smuggling via Transfer-Encoding Header in Puma
Impact
This is a similar but different vulnerability to the one patched in 3.12.5 and 4.3.4.
A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.
If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.
Patches
The problem has been fixed in Puma 3.12.6 and Puma 4.3.5.
HTTP Response Splitting vulnerability in puma
If an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. CR, LF) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting.
While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).
HTTP Response Splitting (Early Hints) in Puma
Impact
If an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting
While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).
This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses.
Patches
This has been fixed in 4.3.3 and 3.12.4.
Workarounds
Users can not allow untrusted/user input in the Early Hints response header.
Keepalive Connections Causing Denial Of Service in puma
Impact
The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster.
A puma server which received more concurrent keep-alive connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.
Patches
This problem has been fixed in puma 4.3.8 and 5.3.1.
Workarounds
Setting queue_requests false also fixes the issue. This is not advised when using puma without a reverse proxy, such as nginx or apache, because you will open yourself to slow client attacks (e.g. slowloris).
The fix is very small. A git patch is available here for those using unsupported versions of Puma.
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma
Impact
Prior to puma
version 5.5.0, using puma
with a proxy which forwards LF characters as line endings could allow HTTP request smuggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.
This behavior (forwarding LF characters as line endings) is very uncommon amongst proxy servers, so we have graded the impact here as low
. Puma is only aware of a single proxy server which has this behavior.
If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.
Patches
This vulnerability was patched in Puma 5.5.1 and 4.3.9.
Workarounds
This vulnerability only affects Puma installations without any proxy in front.
Use a proxy which does not forward LF characters as line endings.
Proxies which do not forward LF characters as line endings:
- Nginx
- Apache (>2.4.25)
- Haproxy
- Caddy
- Traefik
Possible Breakage
If you are dealing with legacy clients that want to send LF
as a line ending in an HTTP header, this will cause those clients to receive a 400
error.
References
Information Exposure with Puma when used with Rails
Impact
Prior to puma
version 5.6.2
, puma
may not always call
close
on the response body. Rails, prior to version 7.0.2.2
, depended on the
response body being closed in order for its CurrentAttributes
implementation to
work correctly.
From Rails:
Under certain circumstances response bodies will not be closed, for example a bug in a webserver[1] or a bug in a Rack middleware. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with ActiveSupport::CurrentAttributes.
The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage.
Patches
This problem is fixed in Puma versions 5.6.2 and 4.3.11.
This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
See: https://github.com/advisories/GHSA-wh98-p28r-vrc9 for details about the rails vulnerability
Upgrading to a patched Rails or Puma version fixes the vulnerability.
Workarounds
Upgrade to Rails versions 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
The Rails CVE includes a middleware that can be used instead.
HTTP Request Smuggling in puma
Impact
When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma.
The following vulnerabilities are addressed by this advisory:
- Lenient parsing of Transfer-Encoding
headers, when unsupported encodings
should be rejected and the final encoding must be chunked
.
- Lenient parsing of malformed Content-Length
headers and chunk sizes, when
only digits and hex digits should be allowed.
- Lenient parsing of duplicate Content-Length
headers, when they should be
rejected.
- Lenient parsing of the ending of chunked segments, when they should end
with \r\n
.
Patches
The vulnerability has been fixed in 5.6.4 and 4.3.12.
Workarounds
When deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.
These proxy servers are known to have good
behavior re: this standard and
upgrading Puma may not be necessary. Users are encouraged to validate for
themselves.
- Nginx (latest)
- Apache (latest)
- Haproxy 2.5+
- Caddy (latest)
- Traefik (latest)
References
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in puma
Impact
Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.
The following vulnerabilities are addressed by this advisory:
- Incorrect parsing of trailing fields in chunked transfer encoding bodies
- Parsing of blank/zero-length Content-Length headers\r\n
Patches
The vulnerability has been fixed in 6.3.1 and 5.6.7.
Workarounds
No known workarounds.
References
Puma HTTP Request/Response Smuggling vulnerability
Impact
Prior to versions 6.4.2 and 5.6.8, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling.
Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.
Patches
The vulnerability has been fixed in 6.4.2 and 5.6.8.
Workarounds
No known workarounds.
References
- HTTP Request Smuggling
- Open an issue in Puma
- See our security policy
Puma's header normalization allows for client to clobber proxy set headers
Impact
Clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For).
Any users trusting headers set by their proxy may be affected. Attackers may be able to downgrade connections to HTTP (non-SSL) or redirect responses, which could cause confidentiality leaks if combined with a separate MITM attack.
Patches
v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win.
Workarounds
Nginx has a underscoresinheaders configuration variable to discard these headers at the proxy level.
Any users that are implicitly trusting the proxy defined headers for security or availability should immediately cease doing so until upgraded to the fixed versions.
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in puma
Impact
Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.
The following vulnerabilities are addressed by this advisory:
- Incorrect parsing of trailing fields in chunked transfer encoding bodies
- Parsing of blank/zero-length Content-Length headers\r\n
Patches
The vulnerability has been fixed in 6.3.1 and 5.6.7.
Workarounds
No known workarounds.
References
169 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
6.4.3 | BSD-3-Clause | 2024-09-19 - 05:50 | about 1 month | |
6.4.2 | BSD-3-Clause | 2 | 2024-01-08 - 05:57 | 10 months |
6.4.1 | BSD-3-Clause | 4 | 2024-01-03 - 00:05 | 10 months |
6.4.0 | BSD-3-Clause | 4 | 2023-09-21 - 04:15 | about 1 year |
6.3.1 | BSD-3-Clause | 4 | 2023-08-18 - 01:22 | about 1 year |
6.3.0 | BSD-3-Clause | 6 | 2023-05-31 - 07:16 | over 1 year |
6.2.2 | BSD-3-Clause | 6 | 2023-04-17 - 22:44 | over 1 year |
6.2.1 | BSD-3-Clause | 6 | 2023-03-31 - 06:53 | over 1 year |
6.2.0 | BSD-3-Clause | 6 | 2023-03-29 - 06:55 | over 1 year |
6.1.1 | BSD-3-Clause | 6 | 2023-02-28 - 07:40 | over 1 year |
6.1.0 | BSD-3-Clause | 6 | 2023-02-12 - 04:58 | over 1 year |
6.0.2 | BSD-3-Clause | 6 | 2023-01-01 - 22:04 | almost 2 years |
6.0.1 | BSD-3-Clause | 6 | 2022-12-20 - 20:21 | almost 2 years |
6.0.0 | BSD-3-Clause | 6 | 2022-10-14 - 02:33 | about 2 years |
5.6.9 | BSD-3-Clause | 2024-09-19 - 05:41 | about 1 month | |
5.6.8 | BSD-3-Clause | 1 | 2024-01-08 - 06:09 | 10 months |
5.6.7 | BSD-3-Clause | 2 | 2023-08-18 - 05:58 | about 1 year |
5.6.6 | BSD-3-Clause | 2 | 2023-06-21 - 02:59 | over 1 year |
5.6.5 | BSD-3-Clause | 2 | 2022-08-23 - 06:04 | about 2 years |
5.6.4 | BSD-3-Clause | 2 | 2022-03-30 - 16:15 | over 2 years |
5.6.2 | BSD-3-Clause | 4 | 2022-02-11 - 21:17 | over 2 years |
5.6.1 | BSD-3-Clause | 6 | 2022-01-27 - 00:40 | almost 3 years |
5.6.0 | BSD-3-Clause | 6 | 2022-01-25 - 21:21 | almost 3 years |
5.5.2 | BSD-3-Clause | 10 | 2021-10-12 - 23:08 | about 3 years |
5.5.1 | BSD-3-Clause | 10 | 2021-10-12 - 15:11 | about 3 years |
5.5.0 | BSD-3-Clause | 12 | 2021-09-19 - 20:09 | about 3 years |
5.4.0 | BSD-3-Clause | 12 | 2021-07-29 - 14:31 | over 3 years |
5.3.2 | BSD-3-Clause | 12 | 2021-05-21 - 17:17 | over 3 years |
5.3.1 | BSD-3-Clause | 12 | 2021-05-11 - 14:56 | over 3 years |
5.3.0 | BSD-3-Clause | 14 | 2021-05-07 - 15:01 | over 3 years |
5.2.2 | BSD-3-Clause | 14 | 2021-03-02 - 16:08 | over 3 years |
5.2.1 | BSD-3-Clause | 14 | 2021-02-05 - 22:28 | over 3 years |
5.2.0 | BSD-3-Clause | 14 | 2021-01-27 - 20:43 | almost 4 years |
5.1.1 | BSD-3-Clause | 14 | 2020-12-10 - 15:28 | almost 4 years |
5.1.0 | BSD-3-Clause | 14 | 2020-11-30 - 17:33 | almost 4 years |
5.0.4 | BSD-3-Clause | 14 | 2020-10-27 - 14:18 | about 4 years |
5.0.3 | BSD-3-Clause | 14 | 2020-10-26 - 13:05 | about 4 years |
5.0.2 | BSD-3-Clause | 14 | 2020-09-28 - 15:19 | about 4 years |
5.0.1 | BSD-3-Clause | 14 | 2020-09-28 - 13:48 | about 4 years |
5.0.0 | BSD-3-Clause | 14 | 2020-09-17 - 17:06 | about 4 years |
5.0.0.beta2 | BSD-3-Clause | 10 | 2020-09-05 - 22:28 | about 4 years |
5.0.0.beta1 | BSD-3-Clause | 10 | 2020-05-12 - 01:49 | over 4 years |
4.3.12 | BSD-3-Clause | 6 | 2022-03-30 - 16:14 | over 2 years |
4.3.11 | BSD-3-Clause | 7 | 2022-02-11 - 21:21 | over 2 years |
4.3.10 | BSD-3-Clause | 8 | 2021-10-12 - 23:15 | about 3 years |
4.3.9 | BSD-3-Clause | 8 | 2021-10-12 - 15:13 | about 3 years |
4.3.8 | BSD-3-Clause | 9 | 2021-05-11 - 14:54 | over 3 years |
4.3.7 | BSD-3-Clause | 10 | 2020-11-30 - 16:54 | almost 4 years |
4.3.6 | BSD-3-Clause | 10 | 2020-09-05 - 21:12 | about 4 years |
4.3.5 | BSD-3-Clause | 10 | 2020-05-19 - 22:43 | over 4 years |
4.3.4 | BSD-3-Clause | 12 | 2020-05-19 - 00:09 | over 4 years |
4.3.3 | BSD-3-Clause | 14 | 2020-02-28 - 19:23 | over 4 years |
4.3.1 | BSD-3-Clause | 18 | 2019-12-05 - 07:38 | almost 5 years |
4.3.0 | BSD-3-Clause | 20 | 2019-11-07 - 21:05 | almost 5 years |
4.2.1 | BSD-3-Clause | 24 | 2019-10-07 - 09:44 | about 5 years |
4.2.0 | BSD-3-Clause | 24 | 2019-09-23 - 09:25 | about 5 years |
4.1.1 | BSD-3-Clause | 24 | 2019-09-09 - 12:20 | about 5 years |
4.1.0 | BSD-3-Clause | 24 | 2019-08-08 - 19:55 | about 5 years |
4.0.1 | BSD-3-Clause | 24 | 2019-07-11 - 17:52 | over 5 years |
4.0.0 | BSD-3-Clause | 24 | 2019-06-25 - 17:46 | over 5 years |
3.12.6 | BSD-3-Clause | 14 | 2020-05-19 - 22:43 | over 4 years |
3.12.5 | BSD-3-Clause | 15 | 2020-05-19 - 00:08 | over 4 years |
3.12.4 | BSD-3-Clause | 16 | 2020-02-28 - 19:49 | over 4 years |
3.12.2 | BSD-3-Clause | 18 | 2019-12-05 - 07:43 | almost 5 years |
3.12.1 | BSD-3-Clause | 19 | 2019-03-19 - 18:07 | over 5 years |
3.12.0 | BSD-3-Clause | 19 | 2018-07-13 - 16:10 | over 6 years |
3.11.4 | BSD-3-Clause | 24 | 2018-04-12 - 19:40 | over 6 years |
3.11.3 | BSD-3-Clause | 24 | 2018-03-06 - 05:42 | over 6 years |
3.11.2 | BSD-3-Clause | 24 | 2018-01-19 - 19:24 | almost 7 years |
3.11.1 | BSD-3-Clause | 24 | 2018-01-19 - 04:49 | almost 7 years |
3.11.0 | BSD-3-Clause | 24 | 2017-11-20 - 16:29 | almost 7 years |
3.10.0 | BSD-3-Clause | 24 | 2017-08-17 - 19:25 | about 7 years |
3.9.1 | BSD-3-Clause | 24 | 2017-06-03 - 14:04 | over 7 years |
3.9.0 | BSD-3-Clause | 24 | 2017-06-01 - 15:40 | over 7 years |
3.8.2 | BSD-3-Clause | 24 | 2017-03-14 - 17:57 | over 7 years |
3.8.1 | BSD-3-Clause | 24 | 2017-03-10 - 17:20 | over 7 years |
3.8.0 | BSD-3-Clause | 24 | 2017-03-09 - 22:28 | over 7 years |
3.7.1 | BSD-3-Clause | 24 | 2017-02-20 - 15:19 | over 7 years |
3.7.0 | BSD-3-Clause | 24 | 2017-01-28 - 00:36 | almost 8 years |
3.6.2 | BSD-3-Clause | 24 | 2016-11-22 - 23:57 | almost 8 years |
3.6.1 | BSD-3-Clause | 24 | 2016-11-21 - 19:08 | almost 8 years |
3.6.0 | BSD-3-Clause | 24 | 2016-07-25 - 05:18 | over 8 years |
3.5.2 | BSD-3-Clause | 24 | 2016-07-20 - 17:59 | over 8 years |
3.5.1 | BSD-3-Clause | 24 | 2016-07-20 - 17:55 | over 8 years |
3.5.0 | BSD-3-Clause | 24 | 2016-07-19 - 05:08 | over 8 years |
3.4.0 | BSD-3-Clause | 24 | 2016-04-07 - 22:07 | over 8 years |
3.3.0 | BSD-3-Clause | 24 | 2016-04-05 - 16:29 | over 8 years |
3.2.0 | BSD-3-Clause | 24 | 2016-03-20 - 21:21 | over 8 years |
3.1.1 | BSD-3-Clause | 24 | 2016-03-18 - 04:33 | over 8 years |
3.1.0 | BSD-3-Clause | 24 | 2016-03-06 - 00:34 | over 8 years |
3.0.2 | BSD-3-Clause | 24 | 2016-02-26 - 18:39 | over 8 years |
3.0.1 | BSD-3-Clause | 24 | 2016-02-26 - 03:44 | over 8 years |
3.0.0 | BSD-3-Clause | 24 | 2016-02-25 - 22:25 | over 8 years |
3.0.0.rc1 | BSD-3-Clause | 24 | 2016-02-20 - 01:27 | over 8 years |
2.16.0 | BSD-3-Clause | 24 | 2016-01-28 - 03:58 | almost 9 years |
2.15.3 | BSD-3-Clause | 24 | 2015-11-07 - 17:19 | almost 9 years |
2.15.2 | BSD-3-Clause | 24 | 2015-11-06 - 23:35 | almost 9 years |
2.15.1 | BSD-3-Clause | 24 | 2015-11-06 - 23:31 | almost 9 years |
2.15.0 | BSD-3-Clause | 24 | 2015-11-06 - 19:08 | almost 9 years |
2.14.0 | BSD-3-Clause | 24 | 2015-09-18 - 16:57 | about 9 years |