Bartekn

**Name of the Vulnerable Software and Affected Versions** Puma versions prior to 6.4.2 Puma versions prior to 5.6.8 **Description** The issue is related to the incorrect handling of HTTP requests in Puma, a web server for Ruby/Rack applications. This can lead to HTTP request smuggling, allowing an attacker to cause unbounded resource consumption, including CPU and network bandwidth. The vulnerability is due to the lack of limits on chunk extensions when parsing chunked transfer encoding bodies. **Recommendations** For versions prior to 6.4.2, update to version 6.4.2 or later. For versions prior to 5.6.8, update to version 5.6.8 or later. As a temporary workaround, consider restricting access to the vulnerable HTTP endpoint until a patch is applied. Avoid using the vulnerable `chunked transfer encoding` feature in the affected Puma versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** amphp/http versions prior to the fixed version amphp/http-client versions 4.0.0-rc10 through 4.0.0 **Description** The issue is related to the amphp/http library and its HTTP/2 protocol implementation, specifically with uncontrolled memory allocation due to incorrect size limits when handling CONTINUATION frames. This can result in an out-of-memory (OOM) crash. The vulnerability can be exploited by a remote attacker to cause a denial of service by sending HTTP packets. **Recommendations** For amphp/http versions prior to the fixed version, update to a version that includes the fix for this issue. For amphp/http-client versions 4.0.0-rc10 through 4.0.0, update to a version that includes the fix for this issue or later. As a temporary workaround, consider restricting the use of the HTTP/2 protocol or limiting the size of incoming HTTP packets to minimize the risk of exploitation.