PT-2024-1076 · Puma+7 · Puma+7

Bartekn

Published

2024-01-08

Updated

2025-10-07

CVE-2024-21647

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Puma versions prior to 6.4.2 Puma versions prior to 5.6.8

Description The issue is related to the incorrect handling of HTTP requests in Puma, a web server for Ruby/Rack applications. This can lead to HTTP request smuggling, allowing an attacker to cause unbounded resource consumption, including CPU and network bandwidth. The vulnerability is due to the lack of limits on chunk extensions when parsing chunked transfer encoding bodies.

Recommendations For versions prior to 6.4.2, update to version 6.4.2 or later. For versions prior to 5.6.8, update to version 5.6.8 or later. As a temporary workaround, consider restricting access to the vulnerable HTTP endpoint until a patch is applied. Avoid using the vulnerable chunked transfer encoding feature in the affected Puma versions until the issue is resolved.

Exploit

Fix

DoS

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-444

Related Identifiers

ALT-PU-2024-14819

ALT-PU-2025-9550

BDU:2024-00328

CVE-2024-21647

DLA-3947-1

GHSA-C2F4-CVQM-65W2

OESA-2024-2250

OESA-2024-2252

OESA-2024-2259

OPENSUSE-SU-2024_3644-1

RHSA-2024:2010

SUSE-SU-2024:3644-1

SUSE-SU-2024_3644-1

SUSE-SU-2025:03466-1

SUSE-SU-2025:03467-1

USN-6597-1

USN-6682-1

Affected Products

Alt Linux

Astra Linux

Debian

Linuxmint

Puma

Red Os

Suse

Ubuntu

PT-2024-1076 · Puma+7 · Puma+7

CVE-2024-21647

Weakness Enumeration

Related Identifiers

Affected Products

References · 55