---
gem: puma
cve: 2020-11076
ghsa: x7jg-6pwg-fx5h
url: https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h
date: 2020-05-22
title: HTTP Smuggling via Transfer-Encoding Header in Puma
description: |-
  ### Impact

  By using an invalid transfer-encoding header, an attacker could
  [smuggle an HTTP response.](https://portswigger.net/web-security/request-smuggling)

  ### Patches

  The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.

cvss_v3: 7.5

patched_versions:
  - "~> 3.12.5"
  - ">= 4.3.4"