RubySec

Providing security resources for the Ruby community

CVE-2019-16770 (puma): Keepalive thread overload/DoS in puma

ADVISORIES

GEM

puma

SEVERITY

CVSS v3: 8.8 (High)

CVSS v2: 6.8 (Medium)

PATCHED VERSIONS

  • ~> 3.12.2
  • >= 4.3.1

DESCRIPTION

A poorly-behaved client could use keepalive requests to monopolize Puma’s reactor and create a denial of service attack.

If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.