All Puma CVEs — Complete Vulnerability History
Puma is Ruby's most widely-used multi-threaded web server. HTTP request smuggling and DoS are its main vulnerability classes — server-level issues that affect all applications regardless of framework.
Ruby
5M+ weekly downloads
4 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2019-16770 | 2019 | HIGH | DoS via thread exhaustion | Fixed 3.12.2 |
| CVE-2020-11076 | 2020 | HIGH | HTTP request smuggling via chunked transfer | Fixed 4.3.5 |
| CVE-2021-29509 | 2021 | HIGH | DoS via connection queue exhaustion | Fixed 4.3.8 |
| CVE-2022-24790 | 2022 | HIGH | HTTP request smuggling via chunked encoding | Fixed 5.6.4 |
Current safe version: 6.4.2
# Before
gem 'puma', '4.3.0'
# After
gem 'puma', '6.4.2'
Then run: bundle install
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
What is the impact of Puma's HTTP request smuggling CVEs?
HTTP request smuggling can allow an attacker to bypass access controls, poison shared response caches, and hijack credentials. In a reverse-proxy setup (Nginx → Puma), smuggling exploits the gap between how each server parses the same request.
Does Rails update Puma automatically?
No — Puma is a separate gem. Specify it explicitly in your Gemfile and update regularly.