CVSS v3.x: 8.0 (High)
- ~> 4.3.11
- >= 5.6.2
puma may not always call
close on the response body. Rails, prior to version
18.104.22.168, depended on the
response body being closed in order for its
CurrentAttributes implementation to
> Under certain circumstances response bodies will not be closed, for example > a bug in a webserver or a bug in a Rack middleware. In the event a > response is not notified of a close, ActionDispatch::Executor will not know > to reset thread local state for the next request. This can lead to data > being leaked to subsequent requests, especially when interacting with > ActiveSupport::CurrentAttributes.
The combination of these two behaviors (Puma not closing the body + Rails’ Executor implementation) causes information leakage.
This problem is fixed in Puma versions 5.6.2 and 4.3.11.
This problem is fixed in Rails versions 7.02.2, 22.214.171.124, 126.96.36.199, and 188.8.131.52.
See: https://github.com/advisories/GHSA-wh98-p28r-vrc9 for details about the rails vulnerability
Upgrading to a patched Rails or Puma version fixes the vulnerability.
Upgrade to Rails versions 184.108.40.206, 220.127.116.11, 18.104.22.168, and 22.214.171.124.
The Rails CVE includes a middleware that can be used instead.