CVE-2020-11077

Name: CVE-2020-11077
Creator: NVD / NIST
Published: 2020-05-22T15:15:11.507+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 2.81%

Last modified Jun 17, 2026

CVE-2020-11077 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. EPSS estimates a 2.81% chance of exploitation in the next 30 days.

Description

In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This is a similar but different vulnerability from CVE-2020-11076. The problem has been fixed in Puma 3.12.6 and Puma 4.3.5.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Probability

2.81%

84.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Puma	Puma	>= 3.0.0, < 3.12.6
Puma	Puma	>= 4.0.0, < 4.3.5
Fedoraproject	Fedora	33
Debian	Debian Linux	9.0
Opensuse	Leap	15.1
Opensuse	Leap	15.2

References

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.htmlMailing List, Third Party Advisory
https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22Release Notes
https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxmVendor Advisory
https://lists.debian.org/debian-lts-announce/2020/10/msg00009.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.htmlMailing List, Third Party Advisory
https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22Release Notes
https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxmVendor Advisory
https://lists.debian.org/debian-lts-announce/2020/10/msg00009.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/

Timeline

Published: May 22, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-11077?

How severe is CVE-2020-11077?

CVE-2020-11077 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 2.81% probability of exploitation in the next 30 days.

How do I fix CVE-2020-11077?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-11077?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST