CVE-2022-24790 Overview
CVE-2022-24790 is an HTTP Request Smuggling vulnerability affecting Puma, a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When Puma is deployed behind a proxy that does not properly validate incoming HTTP requests against the RFC7230 standard, a discrepancy can occur between how the frontend proxy and Puma interpret where a request starts and ends. This desynchronization allows attackers to smuggle malicious requests through the proxy to the backend Puma server.
Critical Impact
Attackers can bypass security controls, poison web caches, hijack user sessions, and execute unauthorized actions by exploiting the request parsing discrepancy between frontend proxies and Puma servers.
Affected Products
- Puma versions prior to 5.6.4 (5.x branch)
- Puma versions prior to 4.3.12 (4.x branch)
- Debian Linux 10.0 and 11.0
- Fedora 35, 36, and 37
Discovery Timeline
- 2022-03-30 - CVE-2022-24790 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-24790
Vulnerability Analysis
HTTP Request Smuggling vulnerabilities arise when frontend and backend servers interpret HTTP request boundaries differently. In this case, Puma's HTTP parser does not strictly enforce RFC7230 compliance when processing certain malformed HTTP requests. When a non-RFC7230-compliant proxy forwards requests to Puma, the two systems may disagree on where one request ends and another begins.
This discrepancy allows an attacker to craft a specially formatted HTTP request that the frontend proxy interprets as a single request, but Puma interprets as two separate requests. The "smuggled" second request bypasses any security controls implemented at the proxy level, potentially allowing unauthorized access to backend resources, cache poisoning, or session hijacking.
The vulnerability is classified under CWE-444 (Inconsistent Interpretation of HTTP Requests), which specifically addresses HTTP Request Smuggling issues.
Root Cause
The root cause lies in Puma's HTTP parser not implementing strict RFC7230 validation for incoming requests. When deployed behind proxies that also lack strict RFC7230 enforcement, the inconsistent parsing behavior between the two components creates an exploitable gap. The fix introduces a new HttpParserError501 exception class to properly handle and reject malformed requests that don't conform to HTTP standards.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker sends a specially crafted HTTP request to the frontend proxy. The proxy forwards what it believes is a single valid request to Puma. However, due to parsing inconsistencies, Puma interprets the payload as containing an additional embedded request, which is then processed as if it came directly from the proxy.
Common exploitation scenarios include:
- Cache Poisoning: Smuggling requests to poison shared caches with malicious content
- Credential Hijacking: Capturing other users' requests by manipulating request boundaries
- Security Bypass: Circumventing WAF rules and access controls implemented at the proxy layer
The security patch introduces stricter HTTP request parsing:
class ConnectionError < RuntimeError; end
+ class HttpParserError501 < IOError; end
+
# An instance of this class represents a unique request from a client.
# For example, this could be a web request from a browser or from CURL.
Source: GitHub Puma Commit
Additional hardening was applied to freeze constant values:
508 => 'Loop Detected',
510 => 'Not Extended',
511 => 'Network Authentication Required'
- }
+ }.freeze
# For some HTTP status codes the client only expects headers.
Source: GitHub Puma Commit
Detection Methods for CVE-2022-24790
Indicators of Compromise
- Unusual HTTP requests with malformed headers or conflicting Content-Length and Transfer-Encoding headers
- Multiple requests appearing to originate from single connections in backend logs
- Discrepancies between proxy access logs and Puma server logs showing additional requests
- Unexpected cache entries or cache poisoning evidence
Detection Strategies
- Implement deep packet inspection at the network perimeter to identify HTTP request smuggling patterns
- Compare frontend proxy logs with Puma application logs to detect request count discrepancies
- Monitor for requests containing both Content-Length and Transfer-Encoding headers
- Deploy web application firewalls with HTTP desync attack detection capabilities
Monitoring Recommendations
- Enable verbose logging on both proxy and Puma servers to track request boundaries
- Set up alerts for HTTP parsing errors or malformed request rejections
- Monitor for the new HttpParserError501 exceptions in Puma logs after patching
- Implement request integrity validation between proxy and backend server
How to Mitigate CVE-2022-24790
Immediate Actions Required
- Upgrade Puma to version 5.6.4 or later (for 5.x branch) immediately
- Upgrade Puma to version 4.3.12 or later (for 4.x branch) if using the legacy branch
- Configure frontend proxies to strictly validate RFC7230 compliance before forwarding requests
- Review and update Debian and Fedora systems through official security channels
Patch Information
The vulnerability has been addressed in Puma versions 5.6.4 and 4.3.12. The fix introduces the HttpParserError501 exception class to properly reject non-RFC7230-compliant requests, preventing the parsing discrepancy that enables request smuggling.
For detailed patch information, see the GitHub Puma Security Commit and the GitHub Security Advisory.
Distribution-specific updates are available through:
Workarounds
- Enable strict RFC7230 validation on all frontend proxies before forwarding requests to Puma
- Configure proxies to normalize HTTP requests, ensuring consistent Content-Length and Transfer-Encoding handling
- Implement request filtering at the proxy level to reject ambiguous or malformed HTTP requests
- Consider adding an additional layer of validation between the proxy and Puma
# Example nginx configuration to help mitigate HTTP smuggling
# Enable strict HTTP version enforcement
proxy_http_version 1.1;
# Clear potentially conflicting headers
proxy_set_header Connection "";
# Ensure proper host header forwarding
proxy_set_header Host $host;
# Reject requests with ambiguous transfer encoding
if ($http_transfer_encoding ~* "chunked.*chunked") {
return 400;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
