---
gem: puma
cve: 2020-5249
ghsa: 33vf-4xgg-9r58
url: https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58
date: 2020-03-03
title: HTTP Response Splitting (Early Hints) in Puma
description: |-
  ### Impact
  If an application using Puma allows untrusted input in an early-hints header,
  an attacker can use a carriage return character to end the header and inject
  malicious content, such as additional headers or an entirely new response body.
  This vulnerability is known as [HTTP Response
  Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)

  While not an attack in itself, response splitting is a vector for several other
  attacks, such as cross-site scripting (XSS).

  This is related to [CVE-2020-5247](https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v),
  which fixed this vulnerability but only for regular responses.

  ### Patches
  This has been fixed in 4.3.3 and 3.12.4.

  ### Workarounds
  Users can not allow untrusted/user input in the Early Hints response header.

cvss_v3: 6.5

patched_versions:
  - "~> 3.12.4"
  - ">= 4.3.3"

related:
  cve:
    - 2020-5247