Hightower

**Name of the Vulnerable Software and Affected Versions** Puma versions prior to 4.3.8 Puma versions prior to 5.3.1 **Description** The issue is related to an incomplete fix for a previous problem, which allowed greedy persistent-connections to saturate all threads in the cluster, potentially starving new connections. This could lead to a denial of service, where a subset of connections are serviced while others are denied. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited. The problem can be triggered by receiving more concurrent `keep-alive` connections than the server has threads in its threadpool. **Recommendations** For versions prior to 4.3.8, update to version 4.3.8 or later. For versions prior to 5.3.1, update to version 5.3.1 or later. As a temporary workaround, consider setting `queue requests` to `false`, but this is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because it may open the server to slow client attacks.