CVE-2024-45614

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Name of the Vulnerable Software and Affected Versions: Puma versions prior to 6.4.3 Puma versions prior to 5.6.9

Description: The issue is related to the handling of HTTP requests in Puma, a Ruby/Rack web server. Clients could overwrite values set by intermediate proxies, such as X-Forwarded-For, by providing an underscore version of the same header, for example, X-Forwarded For. This could allow an attacker to downgrade connections to HTTP or redirect responses, potentially causing confidentiality leaks. Users relying on proxy-set variables are affected.

Recommendations: For Puma versions prior to 6.4.3, upgrade to version 6.4.3 or later. For Puma versions prior to 5.6.9, upgrade to version 5.6.9 or later. As a temporary workaround, consider using Nginx's underscores in headers configuration variable to discard headers with underscores at the proxy level. Any users implicitly trusting proxy-defined headers for security should immediately cease doing so until upgraded to the fixed versions.

Exploit

Fix

IDOR

HTTP Request/Response Smuggling

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639CWE-444

Related Identifiers

ALT-PU-2025-9550

BDU:2024-07777

CVE-2024-45614

DLA-3947-1

GHSA-9HF4-67FC-4VF4

OESA-2024-2249

OESA-2024-2250

OESA-2024-2251

OESA-2024-2252

OESA-2024-2259

OPENSUSE-SU-2024:14474-1

OPENSUSE-SU-2024_3644-1

OPENSUSE-SU-2025:15123-1

OPENSUSE-SU-2026:10357-1

SUSE-SU-2024:3644-1

SUSE-SU-2025:03466-1

SUSE-SU-2025:03467-1

USN-7031-1

USN-7031-2

Affected Products

Alt Linux

Astra Linux

Debian

Linuxmint

Nginx

Puma

Red Os

Suse

Ubuntu

CVE-2024-45614

Weakness Enumeration

Related Identifiers

Affected Products

References · 67