9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24790

GHSA ID

GHSA-h99w-9q5r-gjq9

EPSS Score

0.60534%

CWE

CWE-444

Published

3/30/2022

Updated

5/4/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-24790

CVE-2022-24790: Puma vulnerable to HTTP Request Smuggling

When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma.

The following vulnerabilities are addressed by this advisory:

Lenient parsing of Transfer-Encoding headers, when unsupported encodings should be rejected and the final encoding must be chunked.
Lenient parsing of malformed Content-Length headers and chunk sizes, when only digits and hex digits should be allowed.
Lenient parsing of duplicate Content-Length headers, when they should be rejected.
Lenient parsing of the ending of chunked segments, when they should end with \r\n.

The vulnerability has been fixed in 5.6.4 and 4.3.12. When deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.

These proxy servers are known to have "good" behavior re: this standard and upgrading Puma may not be necessary. Users are encouraged to validate for themselves.

Nginx (latest)
Apache (latest)
Haproxy 2.5+
Caddy (latest)
Traefik (latest)

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24790

GHSA ID

GHSA-h99w-9q5r-gjq9

EPSS Score

0.60534%

CWE

CWE-444

Published

3/30/2022

Updated

5/4/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
puma	rubygems	>= 5.0.0, < 5.6.4	5.6.4
puma	rubygems	< 4.3.12	4.3.12

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from lenient parsing logic in HTTP header/body processing. The commit diff shows critical fixes in these functions: added validation for Transfer-Encoding values (rejecting invalid encodings, ensuring 'chunked' is last), strict Content-Length digit checks, and chunk size/ending validation. These functions directly handled the vulnerable parsing behaviors described in CVE-2022-24790, making them the clear points of failure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n usin* Pum* ***in* * proxy t**t *o*s not prop*rly v*li**t* t**t t** in*omin* *TTP r*qu*st m*t***s t** R****** st*n**r*, Pum* *n* t** *ront*n* proxy m*y *is**r** on w**r* * r*qu*st st*rts *n* *n*s. T*is woul* *llow r*qu*sts to ** smu**l** vi* t**

Reasoning

T** vuln*r**ility st*ms *rom l*ni*nt p*rsin* lo*i* in *TTP *****r/*o*y pro**ssin*. T** *ommit *i** s*ows *riti**l *ix*s in t**s* *un*tions: ***** `v*li**tion` *or `Tr*ns**r-*n*o*in*` v*lu*s (r*j**tin* inv*li* *n*o*in*s, *nsurin* '**unk**' is l*st), s

9.1

Basic Information

Concerned about an active attack path?

CVE-2022-24790: Puma vulnerable to HTTP Request Smuggling

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI