gaurijo
commented
10 months ago @adolski I saw a dependabot alert about the puma gem and just wanted to document it as its own issue here for reference.
Is it fine for me to push up an update of the gem (and make sure the update doesn't break any existing dependencies) or do you prefer I checkout a separate branch for this?
adolski
Dependabot Alert - Prior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies.
Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.
Patches The vulnerability has been fixed in 6.4.2 and 5.6.8.