CVE-2022-23634: Puma Information Disclosure Vulnerability

CVE-2022-23634 Overview

CVE-2022-23634 is an information leakage vulnerability affecting Puma, a Ruby/Rack web server built for parallelism. Prior to version 5.6.2, Puma may not always call close on the response body. When combined with Ruby on Rails (prior to version 7.0.2.2), which depends on the response body being closed for its CurrentAttributes implementation to work correctly, this creates a condition where sensitive information can leak between requests.

Critical Impact
The combination of Puma not closing the response body and Rails' Executor implementation causes information leakage, potentially exposing sensitive data from one user's request to another user.

Affected Products

Puma versions prior to 5.6.2 and 4.3.11
Ruby on Rails versions prior to 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2
Debian Linux 9.0, 10.0, and 11.0
Fedora 35, 36, and 37

Discovery Timeline

2022-02-11 - CVE-2022-23634 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-23634

Vulnerability Analysis

This vulnerability stems from an improper resource shutdown in Puma's request handling mechanism. The web server fails to reliably call close on the response body under certain conditions, which breaks the expected Rack protocol behavior. Rails' CurrentAttributes feature relies on Rack::BodyProxy callbacks being triggered when the response body is closed to properly reset thread-local state between requests.

When Puma skips the close call, Rails' Executor implementation cannot properly clean up CurrentAttributes data. This results in attributes set during one request persisting into subsequent requests that may be handled by the same thread, potentially exposing one user's data to another user.

The vulnerability requires a network-based attack vector with high attack complexity, as the attacker must be able to influence request timing and thread allocation to successfully exploit the information leakage condition.

Root Cause

The root cause is found in Puma's lib/puma/request.rb file, where the response body closure logic was not wrapped in a proper ensure block. If an exception occurred during socket uncorking or temporary file cleanup, the res_body.close call could be skipped entirely. This violates the Rack specification which mandates that the response body must always be closed after a request completes.

Attack Vector

An attacker exploiting this vulnerability would need to:

Target a Rails application running on a vulnerable Puma version
Make requests that cause Rails CurrentAttributes to be populated with sensitive data
Time subsequent requests to hit the same worker thread before the state is properly cleared
Access leaked CurrentAttributes data that should have been isolated to a different user's session

The network-based attack vector requires no authentication, though successful exploitation depends on application-specific conditions and thread scheduling.

ruby

# Security patch in lib/puma/request.rb
# Ensures `close` is called on the response body no matter what
         end
 
       ensure
-        uncork_socket io
-
-        body.close
-        client.tempfile.unlink if client.tempfile
-        res_body.close if res_body.respond_to? :close
+        begin
+          uncork_socket io
+
+          body.close
+          client.tempfile.unlink if client.tempfile
+        ensure
+          # Whatever happens, we MUST call `close` on the response body.
+          # Otherwise Rack::BodyProxy callbacks may not fire and lead to various state leaks
+          res_body.close if res_body.respond_to? :close
+        end
 
         after_reply.each { |o| o.call }
       end

Source: Puma Commit Details

Detection Methods for CVE-2022-23634

Indicators of Compromise

Unexpected data appearing in Rails CurrentAttributes that belongs to other users or sessions
Application logs showing inconsistent user context data across requests
User reports of seeing other users' information in their session
Anomalous thread behavior where state persists unexpectedly between requests

Detection Strategies

Monitor application logs for CurrentAttributes values that do not match the expected user context
Implement request correlation tracking to detect when thread-local state leaks between unrelated requests
Deploy application-level instrumentation to verify Rack::BodyProxy callbacks are being triggered properly
Use SentinelOne's runtime application monitoring to detect anomalous information flow patterns

Monitoring Recommendations

Enable verbose logging for Puma worker threads to track request handling and body closure events
Implement custom Rails instrumentation to alert when CurrentAttributes contains unexpected values
Monitor for patterns where multiple users' data appears in the same response or session context
Configure alerts for exceptions occurring during Puma's request cleanup phase

How to Mitigate CVE-2022-23634

Immediate Actions Required

Upgrade Puma to version 5.6.2 or 4.3.11 or later immediately
Alternatively, upgrade Rails to version 7.0.2.2, 6.1.4.6, 6.0.4.6, or 5.2.6.2
Review application code that uses CurrentAttributes to assess potential exposure
Audit logs for any evidence of information leakage that may have already occurred

Patch Information

The fix is available in Puma versions 5.6.2 and 4.3.11. The patch wraps the response body closure in a nested ensure block, guaranteeing that res_body.close is called regardless of any exceptions that occur during socket uncorking or temporary file cleanup. For detailed patch information, see the Puma Commit Details.

Additional security advisories are available from:

Workarounds

If immediate patching is not possible, upgrade either Puma or Rails to a patched version, as fixing one component resolves the vulnerability
Avoid storing highly sensitive data in Rails CurrentAttributes until patches are applied
Consider implementing custom middleware to explicitly close response bodies as a temporary measure
Reduce worker thread reuse by configuring Puma with shorter worker timeouts to limit the window for state leakage

bash

# Update Gemfile and apply security patches
# Add version constraints to Gemfile
gem 'puma', '>= 5.6.2'  # For Puma 5.x series
# OR
gem 'puma', '>= 4.3.11' # For Puma 4.x series

# Then run bundle update
bundle update puma

# Verify installed version
bundle exec puma --version

CVE-2022-23634 Overview

Critical Impact
The combination of Puma not closing the response body and Rails' Executor implementation causes information leakage, potentially exposing sensitive data from one user's request to another user.

Affected Products

Puma versions prior to 5.6.2 and 4.3.11
Ruby on Rails versions prior to 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2
Debian Linux 9.0, 10.0, and 11.0
Fedora 35, 36, and 37

Discovery Timeline

2022-02-11 - CVE-2022-23634 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-23634

Vulnerability Analysis

Root Cause

Attack Vector

An attacker exploiting this vulnerability would need to:

Target a Rails application running on a vulnerable Puma version
Make requests that cause Rails CurrentAttributes to be populated with sensitive data
Time subsequent requests to hit the same worker thread before the state is properly cleared
Access leaked CurrentAttributes data that should have been isolated to a different user's session

The network-based attack vector requires no authentication, though successful exploitation depends on application-specific conditions and thread scheduling.

ruby

# Security patch in lib/puma/request.rb
# Ensures `close` is called on the response body no matter what
         end
 
       ensure
-        uncork_socket io
-
-        body.close
-        client.tempfile.unlink if client.tempfile
-        res_body.close if res_body.respond_to? :close
+        begin
+          uncork_socket io
+
+          body.close
+          client.tempfile.unlink if client.tempfile
+        ensure
+          # Whatever happens, we MUST call `close` on the response body.
+          # Otherwise Rack::BodyProxy callbacks may not fire and lead to various state leaks
+          res_body.close if res_body.respond_to? :close
+        end
 
         after_reply.each { |o| o.call }
       end

Source: Puma Commit Details

Detection Methods for CVE-2022-23634

Indicators of Compromise

Unexpected data appearing in Rails CurrentAttributes that belongs to other users or sessions
Application logs showing inconsistent user context data across requests
User reports of seeing other users' information in their session
Anomalous thread behavior where state persists unexpectedly between requests

Detection Strategies

Monitor application logs for CurrentAttributes values that do not match the expected user context
Implement request correlation tracking to detect when thread-local state leaks between unrelated requests
Deploy application-level instrumentation to verify Rack::BodyProxy callbacks are being triggered properly
Use SentinelOne's runtime application monitoring to detect anomalous information flow patterns

Monitoring Recommendations

Enable verbose logging for Puma worker threads to track request handling and body closure events
Implement custom Rails instrumentation to alert when CurrentAttributes contains unexpected values
Monitor for patterns where multiple users' data appears in the same response or session context
Configure alerts for exceptions occurring during Puma's request cleanup phase

How to Mitigate CVE-2022-23634

Immediate Actions Required

Upgrade Puma to version 5.6.2 or 4.3.11 or later immediately
Alternatively, upgrade Rails to version 7.0.2.2, 6.1.4.6, 6.0.4.6, or 5.2.6.2
Review application code that uses CurrentAttributes to assess potential exposure
Audit logs for any evidence of information leakage that may have already occurred

Patch Information

Additional security advisories are available from:

Workarounds

If immediate patching is not possible, upgrade either Puma or Rails to a patched version, as fixing one component resolves the vulnerability
Avoid storing highly sensitive data in Rails CurrentAttributes until patches are applied
Consider implementing custom middleware to explicitly close response bodies as a temporary measure
Reduce worker thread reuse by configuring Puma with shorter worker timeouts to limit the window for state leakage

bash

# Update Gemfile and apply security patches
# Add version constraints to Gemfile
gem 'puma', '>= 5.6.2'  # For Puma 5.x series
# OR
gem 'puma', '>= 4.3.11' # For Puma 4.x series

# Then run bundle update
bundle update puma

# Verify installed version
bundle exec puma --version

CVE-2022-23634: Puma Information Disclosure Vulnerability

CVE-2022-23634 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-23634

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-23634

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-23634

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2022-23634: Puma Information Disclosure Vulnerability

CVE-2022-23634 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2022-23634

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2022-23634

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2022-23634

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform