VulnerableCode.io REST API

Lookup for vulnerable packages by Package URL.

GET /api/packages/304457?format=api

HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "url": "http://public2.vulnerablecode.io/api/packages/304457?format=api",
    "purl": "pkg:gem/puma@7.3",
    "type": "gem",
    "namespace": "",
    "name": "puma",
    "version": "7.3",
    "qualifiers": {},
    "subpath": "",
    "is_vulnerable": true,
    "next_non_vulnerable_version": null,
    "latest_non_vulnerable_version": null,
    "affected_by_vulnerabilities": [
        {
            "url": "http://public2.vulnerablecode.io/api/vulnerabilities/275693?format=api",
            "vulnerability_id": "VCID-2ajy-ppmc-abd5",
            "summary": "Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections\n## Impact\n\nPuma is vulnerable to source IP spoofing when set_remote_address\nproxy_protocol: :v1 is enabled and persistent connections are used.\n\nPROXY protocol v1 is a connection-level protocol. Support was added\nto Puma in v5.5.0. A proxy sends one PROXY header at the beginning\nof a TCP connection, before any HTTP data. Puma incorrectly re-parsed\nPROXY protocol headers after each keep-alive request on the same\nconnection. An attacker able to send HTTP requests through a trusted\nproxy could therefore inject a second PROXY header between HTTP\nrequests. Puma would treat the injected header as authoritative for\nthe next request and overwrite REMOTE_ADDR.\n\nThis can mislead applications or middleware that use REMOTE_ADDR for\nsecurity decisions, rate limiting, auditing, or allow/deny lists.\n\nOnly deployments that explicitly enable PROXY protocol v1 are affected,\nand will have set:\n\n  set_remote_address proxy_protocol: :v1\n\nPuma's default configuration is not affected. Deployments that do\nnot use persistent connections to Puma are also not expected to\nbe affected by this issue.\n\n## Workarounds\n\n* Disable PROXY protocol v1 parsing if it is not required:\n\n  # remove/comment this:\n  # set_remote_address proxy_protocol: :v1\n\nUsers can also disable persistent connections to Puma, for example:\n\n  enable_keep_alives false",
            "references": [
                {
                    "reference_url": "https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-47737",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3",
                            "scoring_elements": ""
                        }
                    ],
                    "url": "https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-47737"
                }
            ],
            "fixed_packages": [],
            "aliases": [
                "CVE-2026-47737",
                "GHSA-2vqw-3mp8-cgmx"
            ],
            "risk_score": 2.2,
            "exploitability": "0.5",
            "weighted_severity": "4.5",
            "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2ajy-ppmc-abd5"
        },
        {
            "url": "http://public2.vulnerablecode.io/api/vulnerabilities/275692?format=api",
            "vulnerability_id": "VCID-yxp2-978j-fydw",
            "summary": "Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion\n## Impact\n\nPROXY protocol support for Puma was added in version 5.5.0.\n\nWhen PROXY protocol v1 support is enabled, Puma reads incoming bytes\ninto an internal buffer. It waits for \"\\r\\n\" to determine whether a\nPROXY v1 line is present. If an attacker opens a TCP connection and\ncontinuously sends bytes without CRLF, Puma keeps appending to this\npre-parse buffer.\n\nThis can cause unbounded in-process memory growth and additional\nCPU cost from repeatedly scanning the growing buffer for CRLF.\nA single, unauthenticated TCP connection can drive significant memory\ngrowth and may cause process/container OOM or degraded availability.\n\n Only Puma servers using the following non-default config are affected:\n\n set_remote_address proxy_protocol: :v1\n\n## Workarounds\n\n* Disable PROXY protocol v1 parsing if it is not required:\n  # remove/comment this:\n  # set_remote_address proxy_protocol: :v1\n\n* Restrict direct network access to Puma listeners using PROXY protocol:\n  * Only allow trusted load balancers/reverse proxies to connect.\n  * Block arbitrary client TCP access with firewall/security group rules.",
            "references": [
                {
                    "reference_url": "https://www.cve.org/CVERecord?id=CVE-2026-47736",
                    "reference_id": "",
                    "reference_type": "",
                    "scores": [
                        {
                            "value": "7.5",
                            "scoring_system": "cvssv3",
                            "scoring_elements": ""
                        }
                    ],
                    "url": "https://www.cve.org/CVERecord?id=CVE-2026-47736"
                }
            ],
            "fixed_packages": [],
            "aliases": [
                "CVE-2026-47736",
                "GHSA-qpgp-93vx-g8v8"
            ],
            "risk_score": 2.2,
            "exploitability": "0.5",
            "weighted_severity": "4.5",
            "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yxp2-978j-fydw"
        }
    ],
    "fixing_vulnerabilities": [],
    "risk_score": "2.2",
    "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/puma@7.3"
}

Package Instance