VulnerableCode Package Details - pkg:deb/debian/puma@5.6.5-3%2Bdeb12u1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-fhu7-fyha-9khj	Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') Puma is a Ruby/Rack web server built for parallelism. Prior to versions 6.3.1 and 5.6.7, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling. Severity of this issue is highly dependent on the nature of the web site using puma is. This could be caused by either incorrect parsing of trailing fields in chunked transfer encoding bodies or by parsing of blank/zero-length Content-Length headers. Both issues have been addressed and this vulnerability has been fixed in versions 6.3.1 and 5.6.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.	CVE-2023-40175 GHSA-68xg-gqqm-vgj8
VCID-nxhw-rdtz-zyar	Puma HTTP Request/Response Smuggling vulnerability ### Impact Prior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies. Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. ### Patches The vulnerability has been fixed in 6.4.2 and 5.6.8. ### Workarounds No known workarounds. ### References * [HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling) * Open an issue in [Puma](https://github.com/puma/puma) * See our [security policy](https://github.com/puma/puma/security/policy)	CVE-2024-21647 GHSA-c2f4-cvqm-65w2
VCID-pvph-c6vu-qkhn	Puma's header normalization allows for client to clobber proxy set headers ### Impact Clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users trusting headers set by their proxy may be affected. Attackers may be able to downgrade connections to HTTP (non-SSL) or redirect responses, which could cause confidentiality leaks if combined with a separate MITM attack. ### Patches v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. ### Workarounds Nginx has a [underscores_in_headers](https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers) configuration variable to discard these headers at the proxy level. Any users that are implicitly trusting the proxy defined headers for security or availability should immediately cease doing so until upgraded to the fixed versions.	CVE-2024-45614 GHSA-9hf4-67fc-4vf4

Vulnerability

Summary

Aliases

VCID-fhu7-fyha-9khj

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') Puma is a Ruby/Rack web server built for parallelism. Prior to versions 6.3.1 and 5.6.7, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling. Severity of this issue is highly dependent on the nature of the web site using puma is. This could be caused by either incorrect parsing of trailing fields in chunked transfer encoding bodies or by parsing of blank/zero-length Content-Length headers. Both issues have been addressed and this vulnerability has been fixed in versions 6.3.1 and 5.6.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE-2023-40175
GHSA-68xg-gqqm-vgj8

VCID-nxhw-rdtz-zyar

Puma HTTP Request/Response Smuggling vulnerability ### Impact Prior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies. Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. ### Patches The vulnerability has been fixed in 6.4.2 and 5.6.8. ### Workarounds No known workarounds. ### References * [HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling) * Open an issue in [Puma](https://github.com/puma/puma) * See our [security policy](https://github.com/puma/puma/security/policy)

CVE-2024-21647
GHSA-c2f4-cvqm-65w2

VCID-pvph-c6vu-qkhn

Puma's header normalization allows for client to clobber proxy set headers ### Impact Clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users trusting headers set by their proxy may be affected. Attackers may be able to downgrade connections to HTTP (non-SSL) or redirect responses, which could cause confidentiality leaks if combined with a separate MITM attack. ### Patches v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. ### Workarounds Nginx has a [underscores_in_headers](https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers) configuration variable to discard these headers at the proxy level. Any users that are implicitly trusting the proxy defined headers for security or availability should immediately cease doing so until upgraded to the fixed versions.

CVE-2024-45614
GHSA-9hf4-67fc-4vf4

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T12:35:03.585180+00:00	Debian Importer	Fixing	VCID-fhu7-fyha-9khj	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T00:35:35.416194+00:00	Debian Oval Importer	Fixing	VCID-nxhw-rdtz-zyar	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-15T16:18:59.989299+00:00	Debian Oval Importer	Fixing	VCID-pvph-c6vu-qkhn	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.4.0
2026-04-13T08:37:08.315465+00:00	Debian Importer	Fixing	VCID-fhu7-fyha-9khj	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-12T00:08:44.233061+00:00	Debian Oval Importer	Fixing	VCID-nxhw-rdtz-zyar	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-11T16:06:19.305322+00:00	Debian Oval Importer	Fixing	VCID-pvph-c6vu-qkhn	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.3.0
2026-04-08T23:39:49.990476+00:00	Debian Oval Importer	Fixing	VCID-nxhw-rdtz-zyar	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0
2026-04-08T19:44:24.054760+00:00	Debian Importer	Fixing	VCID-fhu7-fyha-9khj	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-08T15:59:01.658260+00:00	Debian Oval Importer	Fixing	VCID-pvph-c6vu-qkhn	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.1.0