What is the CVSS score of CVE-2024-21647?

CVE-2024-21647 has a CVSS 3.1 base score of 5.9 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 2.5%.

Which versions of Puma are affected by CVE-2024-21647?

Organizations using a way that allowed HTTP request smuggling. Fixed should be aware of moderate risk from CVE-2024-21647 rated CVSS 5.9.. A patch is available.

How to fix or mitigate CVE-2024-21647?

Within 30 days: Identify affected systems running a way that allowed HTTP request smuggling. Fixed and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Puma CVE-2024-21647

MEDIUM

HTTP Request/Response Smuggling (CWE-444)

2024-01-08 security-advisories@github.com

Information Disclosure Request Smuggling Puma

5.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:34 vuln.today

Patch released

Mar 28, 2026 - 19:34 nvd

Patch available

CVE Published

Jan 08, 2024 - 14:15 nvd

MEDIUM 5.9

DescriptionNVD

Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.

AnalysisAI

Puma is a web server for Ruby/Rack applications built for parallelism. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Technical ContextAI

This vulnerability is classified as HTTP Request/Response Smuggling (CWE-444), which allows attackers to manipulate HTTP request interpretation between frontend and backend servers. Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8. Affected products include: Puma. Version information: version 6.4.2.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Enforce strict HTTP parsing, normalize requests at proxy layer, use HTTP/2 end-to-end, reject ambiguous headers.

CVE-2024-21647 vulnerability details – vuln.today

Back

Puma CVE-2024-21647

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code