CVE-2021-41136
3.7 LOWPuma is a HTTP 1.1 server for Ruby/Rack applications
Published: 2021-10-12 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 3.7 LOW
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
- CWE
- CWE-444
Affected products
| Vendor | Product |
|---|---|
| debian | debian_linux, puma |
| puma | debian_linux, puma |
Description
Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-41136
- [Other]https://github.com/puma/puma/commit/436c71807f00e07070902a03f79fd3e130eb6b18
- [Patch]https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f
- [Other]https://github.com/puma/puma/commit/fb6ad8f8013ab5cdbb2f444cbfabd0b4fde71139
- [Other]https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
- [Patch]https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f
- [Other]https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
- [Other]https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
- [Other]https://security.gentoo.org/glsa/202208-28
- [Other]https://www.debian.org/security/2022/dsa-5146
Related CVEs
Same vendor
- CVE-2026-49975 — Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP ... (7.5 HIGH)
- CVE-2026-31431 — In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly r... (7.8 HIGH)
- CVE-2026-4775 — A flaw was found in the libtiff library (7.8 HIGH)
- CVE-2026-3497 — Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions (7.5 HIGH)
- CVE-2026-2219 — It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the dat... (7.5 HIGH)
Same CWE
- CVE-2026-50020 — Netty is a network application framework for development of protocol servers and clients (5.3 MEDIUM)
- CVE-2026-46342 — Nuxt is an open-source web development framework for Vue.js (5.4 MEDIUM)
- CVE-2026-6338 — A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series
- CVE-2026-41853 — Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks (5.3 MEDIUM)
- CVE-2026-44546 — daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake proces... (3.7 LOW)