Scan free
MEDIUMCVE-2024-45614CVSS 5.4

CVE-2024-45614: Header Clobbering in Puma

Platform

ruby

Component

puma

Fixed in

6.0.1

5.6.10

5.6.9

AI Confidence: highNVDEPSS 0.8%Reviewed: May 2026
View on NVD
Save

CVE-2024-45614 describes a header clobbering vulnerability in Puma, a Ruby web server. This flaw allows attackers to manipulate headers set by intermediate proxies, potentially leading to downgrade attacks or response redirection. The vulnerability impacts Puma versions 5.6.8 and earlier, and a fix is available in version 5.6.9.

Ruby

Detect this CVE in your project

Upload your Gemfile.lock file and we'll tell you instantly if you're affected.

Upload Gemfile.lockSupported formats: Gemfile.lock · Gemfile

Impact and Attack Scenarios

The core of this vulnerability lies in Puma's handling of headers with underscores. An attacker can submit a header like X-Forwarded_For alongside the standard X-Forwarded-For. Puma, in vulnerable versions, will incorrectly process the underscored version, potentially overriding headers set by a proxy server. This manipulation can be leveraged to downgrade connections from HTTPS to HTTP, effectively stripping away encryption and exposing sensitive data in transit. Furthermore, attackers could redirect responses, potentially leading to phishing or other malicious actions, especially when combined with a man-in-the-middle (MITM) attack. The blast radius extends to any application relying on Puma and trusting headers provided by upstream proxies.

Exploitation Context

This vulnerability was published on 2024-09-20. There is no indication of this CVE being on KEV or having an EPSS score. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature suggests it could be exploited in targeted attacks against applications relying on Puma and proxy servers. The NVD and CISA have not yet issued advisories.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
NextGuard100% still vulnerable

EPSS

0.76% (73% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N5.4MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentpuma
Vendorosv
Affected rangeFixed in
>= 6.0.0, < 6.4.3 – >= 6.0.0, < 6.4.36.0.1
< 5.6.9 – < 5.6.95.6.10
5.6.9

Weakness Classification (CWE)

CWE-639

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Patched 2 days after disclosure

Mitigation and Workarounds

The primary mitigation is to upgrade to Puma version 5.6.9 or later, which correctly discards underscored header versions when the standard version is also present. If upgrading is not immediately feasible, a workaround involves configuring the upstream proxy (e.g., Nginx) to prioritize its headers. This can be achieved by ensuring that the proxy is the sole source of headers like X-Forwarded-For and that Puma is not configured to override them. Specifically, ensure Nginx is configured to send headers with a higher precedence. After upgrading, confirm the fix by sending requests with both X-Forwarded-For and X-Forwarded_For headers and verifying that the proxy-defined header is used.

How to fix

Update the Puma gem to version 6.4.3 or higher. This will fix the vulnerability that allows clients to overwrite headers set by proxies. As an alternative mitigation, configure Nginx to discard headers with underscores by setting `underscores_in_headers` to `off`.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-45614 — Header Clobbering in Puma?

CVE-2024-45614 is a medium severity vulnerability in Puma versions 5.6.8 and earlier, allowing attackers to manipulate proxy headers like X-Forwarded-For, potentially leading to HTTP downgrade or response redirection.

Am I affected by CVE-2024-45614 in Puma?

You are affected if you are using Puma version 5.6.8 or earlier and your application relies on headers set by a proxy server. Check your Puma version with puma -v.

How do I fix CVE-2024-45614 in Puma?

Upgrade to Puma version 5.6.9 or later. Alternatively, configure your upstream proxy (e.g., Nginx) to prioritize its headers and prevent Puma from overriding them.

Is CVE-2024-45614 being actively exploited?

There is currently no public evidence of active exploitation, but the vulnerability's nature suggests it could be exploited in targeted attacks.

Where can I find the official Puma advisory for CVE-2024-45614?

Refer to the Puma project's security advisories and release notes on their official website or GitHub repository for the latest information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs