GHSA-33vf-4xgg-9r58

### Impact If an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as [HTTP Response Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting).

While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).

This is related to [CVE-2020-5247](https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v), which fixed this vulnerability but only for regular responses.

### Patches This has been fixed in 4.3.3 and 3.12.4.

### Workarounds Users can not allow untrusted/user input in the Early Hints response header.

### For more information If you have any questions or comments about this advisory: * Open an issue in [puma](https://github.com/puma/puma) * Email us a project maintainer. [Email addresses are listed in our Code of Conduct](https://github.com/puma/puma/blob/master/CODE_OF_CONDUCT.md#enforcement).