Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.
The following vulnerabilities are addressed by this advisory:
The vulnerability has been fixed in 6.3.1 and 5.6.7.
No known workarounds.
If you have any questions or comments about this advisory:
Open an issue in Puma See our security policy
{ "nvd_published_at": "2023-08-18T22:15:11Z", "cwe_ids": [ "CWE-444" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2023-08-18T21:50:05Z" }