Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (https://github.com/puma/puma) · only source for this CVE.
CVSS VectorVendor: https://github.com/puma/puma
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Impact
PROXY protocol support for Puma was added in version 5.5.0.
When PROXY protocol v1 support is enabled, Puma reads incoming bytes into an internal buffer. It waits for "\r\n" to determine whether a PROXY v1 line is present. If an attacker opens a TCP connection and continuously sends bytes without CRLF, Puma keeps appending to this pre-parse buffer.
This can cause unbounded in-process memory growth and additional CPU cost from repeatedly scanning the growing buffer for CRLF. A single, unauthenticated TCP connection can drive significant memory growth and may cause process/container OOM or degraded availability.
Only Puma servers using the following non-default config are affected:
set_remote_address proxy_protocol: :v1Patches
Users should upgrade to versions 7.2.1 or 8.0.2.
Workarounds
- Disable PROXY protocol v1 parsing if it is not required:
# remove/comment this:
# set_remote_address proxy_protocol: :v1- Restrict direct network access to Puma listeners using PROXY protocol:
- Only allow trusted load balancers/reverse proxies to connect.
- Block arbitrary client TCP access with firewall/security group rules.
Resources
AnalysisAI
Remote denial-of-service in Puma Ruby web server versions 5.5.0 through 7.2.0 and 8.0.0 through 8.0.1 allows unauthenticated attackers to exhaust process memory by opening a TCP connection and sending data without CRLF terminators when PROXY protocol v1 support is enabled. The vulnerability lives in the PROXY v1 pre-parse buffer, which grows without bound while Puma waits for the '\r\n' delimiter, leading to OOM kills or container restarts. No public exploit identified at time of analysis, and the issue only affects servers explicitly opting into the non-default set_remote_address proxy_protocol: :v1 configuration.
Technical ContextAI
Puma is a widely deployed multi-threaded Ruby HTTP server commonly used to host Rails and Rack applications behind load balancers. The HAProxy PROXY protocol v1 is a plaintext protocol that prepends a line such as 'PROXY TCP4 src dst sport dport\r\n' to a TCP connection so the backend can recover the real client address through an L4 proxy. Puma added optional PROXY v1 parsing in version 5.5.0; the parser, implemented in lib/puma/client.rb against the PROXY_PROTOCOL_V1_REGEX constant in lib/puma/const.rb, accumulates inbound bytes into a pre-parse buffer and rescans it for CRLF on every read. Because there is no cap on the buffer size or on the time spent waiting for the delimiter, this is a textbook CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling) condition - an attacker controls how much data is held in memory and how often the scan runs.
RemediationAI
Vendor-released patch: upgrade Puma to 7.2.1 (for the 5.5.0-7.2.0 branch) or 8.0.2 (for the 8.0.x branch) per GHSA-qpgp-93vx-g8v8. If immediate upgrade is not possible and PROXY protocol v1 is not actually required, remove or comment out the set_remote_address proxy_protocol: :v1 line in the Puma DSL configuration; the trade-off is that Puma will then see the load balancer's IP as the client address unless another mechanism (e.g. trusted X-Forwarded-For handling in the application) is in place. If PROXY v1 must remain enabled, restrict L4 access to the Puma listener so that only trusted load balancers or reverse proxies (e.g. HAProxy, AWS NLB, GCP TCP LB) can connect, using firewall, security group, or network policy rules to block arbitrary client TCP access - be aware this protection collapses if an attacker can pivot into the same network segment or if the load balancer forwards arbitrary client TCP without sanitisation.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44442
GHSA-qpgp-93vx-g8v8