CVE-2024-21647
Resource Consumption vulnerability in puma (RubyGems)
What is CVE-2024-21647 About?
This vulnerability in Puma allows for unbounded resource consumption when parsing chunked transfer encoding bodies. Attackers can send specially crafted HTTP requests to exhaust CPU and network bandwidth resources. Exploitation is relatively easy for an attacker who can send malicious HTTP requests.
Affected Software
- puma
- >=6.0.0, <6.4.2
- <5.6.8
Technical Details
Prior to fixed versions, Puma did not properly limit the size of chunk extensions within chunked transfer encoding bodies. In the HTTP chunked transfer encoding, 'chunk extensions' are optional data that can follow the chunk size. By sending a request with excessively large or numerous chunk extensions, an attacker can force Puma to allocate and process an unbounded amount of data. This leads to high CPU usage for parsing and significant network bandwidth consumption, resulting in a denial of service due to resource exhaustion.
What is the Impact of CVE-2024-21647?
Successful exploitation may allow attackers to consume excessive CPU and network resources, leading to a denial of service and making the application unavailable to legitimate users.
What is the Exploitability of CVE-2024-21647?
Exploitation is of low complexity, requiring only the ability to send HTTP requests with a crafted chunked transfer encoding body. No authentication or specific privileges are required, making this a remote attack. The primary risk factor is the direct exposure of the Puma server to untrusted network traffic. Without strict input validation or rate limiting at a proxy layer, an attacker can easily send malformed requests to trigger the resource exhaustion.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-21647?
Available Upgrade Options
- puma
- <5.6.8 → Upgrade to 5.6.8
- puma
- >=6.0.0, <6.4.2 → Upgrade to 6.4.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html
- https://nvd.nist.gov/vuln/detail/CVE-2024-21647
- https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d
- https://lists.debian.org/debian-lts-announce/2024/11/msg00004.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-21647.yml
- https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
- https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93
- https://github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7
- https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93
- https://github.com/puma/puma
What are Similar Vulnerabilities to CVE-2024-21647?
Similar Vulnerabilities: CVE-2021-29509 , CVE-2019-16770 , CVE-2018-1000539 , CVE-2017-7657 , CVE-2015-8855
