MEDIUM 5.9

GHSA-c2f4-cvqm-65w2

Puma HTTP Request/Response Smuggling vulnerability

Details

### Impact Prior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies.

Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.

### Patches

The vulnerability has been fixed in 6.4.2 and 5.6.8.

### Workarounds

No known workarounds.

### References

* [HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling) * Open an issue in [Puma](https://github.com/puma/puma) * See our [security policy](https://github.com/puma/puma/security/policy)

Are you affected?

Enter the version of the package you're using.

Affected packages

RubyGems / puma

Introduced in: 6.0.0 Fixed in: 6.4.2

Fix bundle update puma

RubyGems / puma

Introduced in: 0 Fixed in: 5.6.8

Fix bundle update puma

References

https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2024-21647 [ADVISORY]
https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93 [WEB]
https://github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7 [WEB]
https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d [WEB]
https://github.com/puma/puma [PACKAGE]
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-21647.yml [WEB]
https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html [WEB]