Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/puma@4.3.2
Typegem
Namespace
Namepuma
Version4.3.2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version5.6.9
Latest_non_vulnerable_version6.4.3
Affected_by_vulnerabilities
0
url VCID-ap87-c4dc-zfcy
vulnerability_id VCID-ap87-c4dc-zfcy
summary 
HTTP Response Splitting (Early Hints) in Puma
### Impact
If an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as [HTTP Response Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting).

While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).

This is related to [CVE-2020-5247](https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v), which fixed this vulnerability but only for regular responses.

### Patches
This has been fixed in 4.3.3 and 3.12.4.

### Workarounds
Users can not allow untrusted/user input in the Early Hints response header.

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [puma](https://github.com/puma/puma)
* Email us a project maintainer. [Email addresses are listed in our Code of Conduct](https://github.com/puma/puma/blob/master/CODE_OF_CONDUCT.md#enforcement).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5249.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5249.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-5249
reference_id
reference_type
scores
0
value 0.00498
scoring_system epss
scoring_elements 0.65899
published_at 2026-04-21T12:55:00Z
1
value 0.00498
scoring_system epss
scoring_elements 0.6591
published_at 2026-04-18T12:55:00Z
2
value 0.00498
scoring_system epss
scoring_elements 0.65896
published_at 2026-04-16T12:55:00Z
3
value 0.00498
scoring_system epss
scoring_elements 0.65861
published_at 2026-04-13T12:55:00Z
4
value 0.00498
scoring_system epss
scoring_elements 0.65891
published_at 2026-04-12T12:55:00Z
5
value 0.00498
scoring_system epss
scoring_elements 0.65903
published_at 2026-04-11T12:55:00Z
6
value 0.00498
scoring_system epss
scoring_elements 0.65825
published_at 2026-04-02T12:55:00Z
7
value 0.00498
scoring_system epss
scoring_elements 0.65775
published_at 2026-04-01T12:55:00Z
8
value 0.00498
scoring_system epss
scoring_elements 0.65885
published_at 2026-04-09T12:55:00Z
9
value 0.00498
scoring_system epss
scoring_elements 0.65873
published_at 2026-04-08T12:55:00Z
10
value 0.00498
scoring_system epss
scoring_elements 0.65821
published_at 2026-04-07T12:55:00Z
11
value 0.00498
scoring_system epss
scoring_elements 0.65855
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-5249
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5249
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5249
3
reference_url https://github.com/puma/puma
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma
4
reference_url https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3
5
reference_url https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58
6
reference_url https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5249.yml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5249.yml
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-5249
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-5249
15
reference_url https://owasp.org/www-community/attacks/HTTP_Response_Splitting
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://owasp.org/www-community/attacks/HTTP_Response_Splitting
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1816181
reference_id 1816181
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1816181
17
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953122
reference_id 953122
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953122
18
reference_url https://github.com/advisories/GHSA-33vf-4xgg-9r58
reference_id GHSA-33vf-4xgg-9r58
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-33vf-4xgg-9r58
fixed_packages
0
url pkg:gem/puma@4.3.3
purl pkg:gem/puma@4.3.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5zm7-c7nu-quad
1
vulnerability VCID-bk4b-h5hu-2qeq
2
vulnerability VCID-euqw-bed6-z7d6
3
vulnerability VCID-fhu7-fyha-9khj
4
vulnerability VCID-gkf9-7a9x-nkh4
5
vulnerability VCID-jwun-grgg-2uet
6
vulnerability VCID-nxhw-rdtz-zyar
7
vulnerability VCID-pvph-c6vu-qkhn
8
vulnerability VCID-q37p-vzmm-aken
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.3
aliases CVE-2020-5249, GHSA-33vf-4xgg-9r58
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ap87-c4dc-zfcy
1
url VCID-pr2m-wx1b-hqbz
vulnerability_id VCID-pr2m-wx1b-hqbz
summary 
HTTP Response Splitting in Puma
In Puma (RubyGem) before 4.3.2 and 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting.

While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).

This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server.

This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5247.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-5247.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2020-5247
reference_id
reference_type
scores
0
value 0.02094
scoring_system epss
scoring_elements 0.84063
published_at 2026-04-21T12:55:00Z
1
value 0.02094
scoring_system epss
scoring_elements 0.84061
published_at 2026-04-18T12:55:00Z
2
value 0.02094
scoring_system epss
scoring_elements 0.84059
published_at 2026-04-16T12:55:00Z
3
value 0.02094
scoring_system epss
scoring_elements 0.84036
published_at 2026-04-13T12:55:00Z
4
value 0.02094
scoring_system epss
scoring_elements 0.84041
published_at 2026-04-12T12:55:00Z
5
value 0.02094
scoring_system epss
scoring_elements 0.84047
published_at 2026-04-11T12:55:00Z
6
value 0.02094
scoring_system epss
scoring_elements 0.8403
published_at 2026-04-09T12:55:00Z
7
value 0.02094
scoring_system epss
scoring_elements 0.83998
published_at 2026-04-04T12:55:00Z
8
value 0.02094
scoring_system epss
scoring_elements 0.83983
published_at 2026-04-02T12:55:00Z
9
value 0.02094
scoring_system epss
scoring_elements 0.83969
published_at 2026-04-01T12:55:00Z
10
value 0.02094
scoring_system epss
scoring_elements 0.84024
published_at 2026-04-08T12:55:00Z
11
value 0.02094
scoring_system epss
scoring_elements 0.84001
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2020-5247
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5247
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5247
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/puma/puma
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma
5
reference_url https://github.com/puma/puma/commit/c36491756f68a9d6a8b3a49e7e5eb07fe6f1332f
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/commit/c36491756f68a9d6a8b3a49e7e5eb07fe6f1332f
6
reference_url https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5247.yml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5247.yml
8
reference_url https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-5247
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2020-5247
16
reference_url https://owasp.org/www-community/attacks/HTTP_Response_Splitting
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://owasp.org/www-community/attacks/HTTP_Response_Splitting
17
reference_url https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1816187
reference_id 1816187
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1816187
19
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952766
reference_id 952766
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952766
20
reference_url https://github.com/advisories/GHSA-84j7-475p-hp8v
reference_id GHSA-84j7-475p-hp8v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-84j7-475p-hp8v
fixed_packages
0
url pkg:gem/puma@4.3.3
purl pkg:gem/puma@4.3.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5zm7-c7nu-quad
1
vulnerability VCID-bk4b-h5hu-2qeq
2
vulnerability VCID-euqw-bed6-z7d6
3
vulnerability VCID-fhu7-fyha-9khj
4
vulnerability VCID-gkf9-7a9x-nkh4
5
vulnerability VCID-jwun-grgg-2uet
6
vulnerability VCID-nxhw-rdtz-zyar
7
vulnerability VCID-pvph-c6vu-qkhn
8
vulnerability VCID-q37p-vzmm-aken
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.3
aliases CVE-2020-5247, GHSA-84j7-475p-hp8v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pr2m-wx1b-hqbz
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/puma@4.3.2