Platform
ruby
Component
puma
Fixed in
3.12.6
4.0.1
3.12.5
CVE-2020-11076 describes a vulnerability in Puma, a popular Ruby web server. This flaw allows attackers to smuggle HTTP responses by exploiting improper handling of transfer-encoding headers, potentially leading to request hijacking and other malicious activities. The vulnerability impacts Puma versions 3.9.1 and earlier. A fix is available in Puma 3.12.5 and 4.3.4.
The core of this vulnerability lies in Puma's handling of HTTP requests with potentially malformed transfer-encoding headers. An attacker can craft a request that tricks Puma into interpreting subsequent requests as part of the initial response, effectively smuggling them. This allows for various attacks, including session hijacking, cache poisoning, and potentially even gaining unauthorized access to backend systems. Successful exploitation could lead to an attacker impersonating legitimate users or manipulating the server's behavior. The impact is amplified in environments where Puma is used as a reverse proxy or load balancer, as the smuggled requests can bypass security controls.
This vulnerability was originally reported by @ZeddYu and publicly disclosed on May 22, 2020. While no active exploitation campaigns have been definitively linked to CVE-2020-11076, the technique of HTTP response smuggling is well-understood and has been exploited in other contexts. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of the attack.
Exploit Status
EPSS
1.94% (83% percentile)
CVSS Vector
The primary mitigation for CVE-2020-11076 is to upgrade Puma to version 3.12.5 or 4.3.4, which contain the necessary fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy with rules to filter out requests containing suspicious transfer-encoding headers, specifically those with invalid or unexpected values. Carefully review and validate all incoming HTTP headers, especially transfer-encoding, to prevent malicious manipulation. Monitor Puma logs for unusual patterns or errors related to header parsing.
Update the Puma gem to version 4.3.4 or higher, or to version 3.12.5 or higher. This will resolve the HTTP Smuggling vulnerability caused by an invalid Transfer-Encoding header. Run `gem update puma` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-11076 is a vulnerability in Puma versions ≤3.9.1 that allows attackers to smuggle HTTP responses via invalid transfer-encoding headers, potentially leading to request hijacking.
If you are using Puma version 3.9.1 or earlier, you are potentially affected by this vulnerability. Upgrade to Puma 3.12.5 or 4.3.4 to mitigate the risk.
Upgrade Puma to version 3.12.5 or 4.3.4. As a temporary workaround, implement WAF rules to filter suspicious transfer-encoding headers.
While no confirmed active exploitation campaigns are publicly known, the technique is well-understood and could be exploited. It's crucial to apply the patch.
Refer to the Puma security policy on GitHub: https://github.com/puma/puma/security/policy
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.