Platform
ruby
Component
puma
Fixed in
3.12.4
4.0.1
3.12.4
CVE-2020-5247 describes a HTTP Response Splitting vulnerability in Puma, a Ruby web server. This flaw allows attackers to inject malicious content into HTTP responses by exploiting newline characters within response headers. Versions of Puma prior to 3.12.4 are affected. The vulnerability is mitigated by upgrading to version 3.12.4 or later.
The core of this vulnerability lies in Puma's handling of newline characters within HTTP response headers. An attacker who can control data included in a response header (e.g., through a vulnerable application) can inject newline characters (
, `
`). These characters can prematurely terminate the header, allowing the attacker to inject arbitrary headers or even a completely new response body. While not a direct attack vector, this response splitting can be leveraged for various malicious purposes, most notably cross-site scripting (XSS). Successful exploitation could lead to session hijacking, defacement, or redirection to malicious websites. This vulnerability shares similarities with CVE-2019-16254, which affected the WEBrick Ruby web server, highlighting a common pattern in web server implementations.
CVE-2020-5247 was publicly disclosed on February 28, 2020. There is no indication of active exploitation campaigns targeting this vulnerability at this time. The EPSS score is likely low, given the lack of public exploits and the relatively straightforward mitigation (upgrade). No KEV listing exists as of the current date.
Exploit Status
EPSS
2.09% (84% percentile)
CVSS Vector
The primary mitigation for CVE-2020-5247 is to upgrade Puma to version 3.12.4 or later, which contains the fix. If an immediate upgrade is not feasible due to compatibility issues, consider implementing a WAF (Web Application Firewall) rule to filter out newline characters in response headers. Alternatively, carefully sanitize all user-supplied data before including it in response headers. Review application code to ensure that no untrusted input is directly included in response headers. After upgrading, confirm the fix by sending a request with a crafted header containing newline characters and verifying that the response does not contain unexpected headers or content.
Update the Puma gem to version 4.3.2 or higher, or to version 3.12.3 or higher. This will fix the HTTP response splitting vulnerability by checking headers for line endings and rejecting headers with those characters. Run `gem update puma` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-5247 is a vulnerability in Puma where attackers can inject malicious content into HTTP responses using newline characters in headers, potentially leading to XSS.
You are affected if you are using Puma versions 3.9.1 or earlier. Upgrade to version 3.12.4 or later to resolve the issue.
Upgrade Puma to version 3.12.4 or later. As a temporary workaround, implement a WAF rule to filter newline characters in response headers.
There is currently no evidence of active exploitation campaigns targeting CVE-2020-5247.
Refer to the Puma security advisory for detailed information: https://github.com/puma/puma/security/advisories/GHSA-994w-4j6h-499r
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.