HIGH 7.5 RubyGems
GHSA-2vqw-3mp8-cgmx · CVE-2026-47737 Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections
Modified: 6/10/2026
package
RubyGems / puma
pkg:rubygems/puma
MEDIUM 6.5 RubyGems
GHSA-33vf-4xgg-9r58 · CVE-2020-5249 HTTP Response Splitting (Early Hints) in Puma
Modified: 2/4/2026
LOW 3.7 RubyGems
GHSA-48w2-rm65-62xx · CVE-2021-41136 Puma with proxy which forwards LF characters as line endings could allow HTTP request smuggling
Modified: 3/13/2026
CRITICAL 9.8 RubyGems
GHSA-68xg-gqqm-vgj8 · CVE-2023-40175 Puma HTTP Request/Response Smuggling vulnerability
Modified: 2/16/2024
MEDIUM 5.3 RubyGems
GHSA-7xx3-m584-x994 · CVE-2019-16770 A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack
Modified: 3/13/2026
MEDIUM 6.5 RubyGems
GHSA-84j7-475p-hp8v · BIT-ruby-2020-5247, BIT-ruby-min-2020-5247 HTTP Response Splitting in Puma
Modified: 3/13/2026
MEDIUM 5.4 RubyGems
GHSA-9hf4-67fc-4vf4 · CVE-2024-45614 Puma's header normalization allows for client to clobber proxy set headers
Modified: 2/4/2026
MEDIUM 5.9 RubyGems
GHSA-c2f4-cvqm-65w2 · CVE-2024-21647 Puma HTTP Request/Response Smuggling vulnerability
Modified: 2/4/2026
CRITICAL 9.1 RubyGems
GHSA-h99w-9q5r-gjq9 · CVE-2022-24790 Puma vulnerable to HTTP Request Smuggling
Modified: 2/16/2024
HIGH 7.5 RubyGems
GHSA-q28m-8xjw-8vr5 · CVE-2021-29509 Puma's Keepalive Connections Causing Denial Of Service
Modified: 3/13/2026
HIGH 7.5 RubyGems
GHSA-qpgp-93vx-g8v8 · CVE-2026-47736 Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
Modified: 6/10/2026
HIGH 8.0 RubyGems
GHSA-rmj8-8hhh-gv5h · CVE-2022-23634 Puma used with Rails may lead to Information Exposure
Modified: 2/4/2026
MEDIUM 6.8 RubyGems
GHSA-w64w-qqph-5gxm · CVE-2020-11077 HTTP Smuggling via Transfer-Encoding Header in Puma
Modified: 3/13/2026
HIGH 7.5 RubyGems
GHSA-x7jg-6pwg-fx5h · CVE-2020-11076 HTTP Smuggling via Transfer-Encoding Header in Puma
Modified: 3/13/2026