vulnerability
Arch Linux: HTTP Request/Response Smuggling (CVE-2022-24790)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:P/A:N) | Mar 30, 2022 | Jul 11, 2025 | Nov 27, 2025 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
Mar 30, 2022
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma.
Solution
arch-linux-upgrade-latest
References
- CVE-2022-24790
- https://attackerkb.com/topics/CVE-2022-24790
- URL-https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5
- URL-https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
- URL-https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
- URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
- URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
- URL-https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
- URL-https://security.gentoo.org/glsa/202208-28
- URL-https://www.debian.org/security/2022/dsa-5146
- CWE-444
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.