VYPR
← All advisories
High severityNVD Advisory· Published Feb 11, 2022· Updated Apr 23, 2025

Information Exposure when using Puma with Rails

CVE-2022-23634

Description

Puma is a Ruby/Rack web server built for parallelism. Prior to puma version 5.6.2, puma may not always call close on the response body. Rails, prior to version 7.0.2.2, depended on the response body being closed in order for its CurrentAttributes implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Puma and Rails vulnerability where incomplete response body closing can lead to information leakage between requests.

Vulnerability

Puma, a Ruby web server, prior to versions 5.6.2 and 4.3.11, does not always call close on the response body [1]. Rails, prior to versions 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2, depends on the response body being closed for CurrentAttributes to work correctly [3]. When Puma fails to close the response body, Rails' ActionDispatch::Executor does not reset thread local state, potentially leaking data between requests [3].

Exploitation

An attacker can repeatedly send requests to a vulnerable application, leveraging the race condition or timing of response body handling to access thread local state from previous requests. No authentication is required beyond normal network access.

Impact

Successful exploitation results in information leakage, where sensitive data from one request may be exposed in subsequent responses. This could include personal data, session tokens, or other attributes stored in CurrentAttributes [1][3].

Mitigation

Fixed versions are available: Puma 5.6.2 and 4.3.11, and Rails 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2 [1][3]. Upgrading either Puma or Rails to a patched version resolves the vulnerability. No workaround is necessary beyond updating.

References
  1. NVD - CVE-2022-23634
  2. CVE-2022-23634 - GitHub Advisory Database

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pumaRubyGems
>= 5.0.0, < 5.6.25.6.2
pumaRubyGems
< 4.3.114.3.11

Affected products

10

Patches

1
b70f451fe8ab

Ensure `close` is called on the response body no matter what

https://github.com/puma/pumaJean BoussierFeb 11, 2022via ghsa
commit
1 file changed · +10 5
  • lib/puma/request.rb+10 5 modified
    @@ -171,11 +171,16 @@ def handle_request(client, lines, requests)
         end
 
       ensure
-        uncork_socket io
-
-        body.close
-        client.tempfile.unlink if client.tempfile
-        res_body.close if res_body.respond_to? :close
+        begin
+          uncork_socket io
+
+          body.close
+          client.tempfile.unlink if client.tempfile
+        ensure
+          # Whatever happens, we MUST call `close` on the response body.
+          # Otherwise Rack::BodyProxy callbacks may not fire and lead to various state leaks
+          res_body.close if res_body.respond_to? :close
+        end
 
         after_reply.each { |o| o.call }
       end

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

17

News mentions

0

No linked articles in our index yet.