Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `18.104.22.168`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 22.214.171.124, 126.96.36.199, and 188.8.131.52. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.
Please bump to 5.6.2.
Puma 5.6.2 has now been added.
Thanks, please cleanup!
(In reply to John Helmert III from comment #2)
> Thanks, please cleanup!
Sorry, this one needs stabilization.