Skip to main content

Puma EUVDEUVD-2026-44442

| CVE-2026-47736 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-08 https://github.com/puma/puma GHSA-qpgp-93vx-g8v8
7.5
CVSS 3.1 · Vendor: https://github.com/puma/puma
Share

Severity by source

Vendor (https://github.com/puma/puma) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from Vendor (https://github.com/puma/puma) · only source for this CVE.

CVSS VectorVendor: https://github.com/puma/puma

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 09, 2026 - 00:14 vuln.today
Analysis Generated
Jun 09, 2026 - 00:14 vuln.today

DescriptionCVE.org

Impact

PROXY protocol support for Puma was added in version 5.5.0.

When PROXY protocol v1 support is enabled, Puma reads incoming bytes into an internal buffer. It waits for "\r\n" to determine whether a PROXY v1 line is present. If an attacker opens a TCP connection and continuously sends bytes without CRLF, Puma keeps appending to this pre-parse buffer.

This can cause unbounded in-process memory growth and additional CPU cost from repeatedly scanning the growing buffer for CRLF. A single, unauthenticated TCP connection can drive significant memory growth and may cause process/container OOM or degraded availability.

Only Puma servers using the following non-default config are affected:

ruby
   set_remote_address proxy_protocol: :v1

Patches

Users should upgrade to versions 7.2.1 or 8.0.2.

Workarounds

  • Disable PROXY protocol v1 parsing if it is not required:
ruby
# remove/comment this:
# set_remote_address proxy_protocol: :v1
  • Restrict direct network access to Puma listeners using PROXY protocol:
  • Only allow trusted load balancers/reverse proxies to connect.
  • Block arbitrary client TCP access with firewall/security group rules.

Resources

AnalysisAI

Remote denial-of-service in Puma Ruby web server versions 5.5.0 through 7.2.0 and 8.0.0 through 8.0.1 allows unauthenticated attackers to exhaust process memory by opening a TCP connection and sending data without CRLF terminators when PROXY protocol v1 support is enabled. The vulnerability lives in the PROXY v1 pre-parse buffer, which grows without bound while Puma waits for the '\r\n' delimiter, leading to OOM kills or container restarts. No public exploit identified at time of analysis, and the issue only affects servers explicitly opting into the non-default set_remote_address proxy_protocol: :v1 configuration.

Technical ContextAI

Puma is a widely deployed multi-threaded Ruby HTTP server commonly used to host Rails and Rack applications behind load balancers. The HAProxy PROXY protocol v1 is a plaintext protocol that prepends a line such as 'PROXY TCP4 src dst sport dport\r\n' to a TCP connection so the backend can recover the real client address through an L4 proxy. Puma added optional PROXY v1 parsing in version 5.5.0; the parser, implemented in lib/puma/client.rb against the PROXY_PROTOCOL_V1_REGEX constant in lib/puma/const.rb, accumulates inbound bytes into a pre-parse buffer and rescans it for CRLF on every read. Because there is no cap on the buffer size or on the time spent waiting for the delimiter, this is a textbook CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling) condition - an attacker controls how much data is held in memory and how often the scan runs.

RemediationAI

Vendor-released patch: upgrade Puma to 7.2.1 (for the 5.5.0-7.2.0 branch) or 8.0.2 (for the 8.0.x branch) per GHSA-qpgp-93vx-g8v8. If immediate upgrade is not possible and PROXY protocol v1 is not actually required, remove or comment out the set_remote_address proxy_protocol: :v1 line in the Puma DSL configuration; the trade-off is that Puma will then see the load balancer's IP as the client address unless another mechanism (e.g. trusted X-Forwarded-For handling in the application) is in place. If PROXY v1 must remain enabled, restrict L4 access to the Puma listener so that only trusted load balancers or reverse proxies (e.g. HAProxy, AWS NLB, GCP TCP LB) can connect, using firewall, security group, or network policy rules to block arbitrary client TCP access - be aware this protection collapses if an attacker can pivot into the same network segment or if the load balancer forwards arbitrary client TCP without sanitisation.

Share

EUVD-2026-44442 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy