Puma is a web server for highly concurrent applications from Evan Phoenix, a personal developer in the U.S. Puma is vulnerable to an information disclosure vulnerability that stems from the fact that prior to puma version 5.6.2, puma may not always call close on the response body, and prior to version 7.0.2.2, Rails relied on closing the response body so that its “CurrentAttributes” implementation works correctly. The combination of these two behaviors (Puma does not close the body Rails’ Executor implementation) can lead to information leakage. No details of the vulnerability are currently available.