PT-2019-14826 · Ruby+1 · Puma+1

Nateberkopec

·

Published

2019-12-05

·

Updated

2026-03-13

·

CVE-2019-16770

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Puma versions prior to 3.12.2 Puma versions prior to 4.3.1
Description A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
Recommendations For versions prior to 3.12.2, update to version 3.12.2 or later to resolve the issue. For versions prior to 4.3.1, update to version 4.3.1 or later to resolve the issue. As a temporary workaround, consider configuring reverse proxies in front of Puma to always allow less than X keepalive connections to a Puma cluster or process, where X is the number of threads configured in Puma's thread pool.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Weakness Enumeration

CWE-770

Related Identifiers

CVE-2019-16770
DLA-3023-1
GHSA-7XX3-M584-X994
OPENSUSE-SU-2020:1993-1
OPENSUSE-SU-2020:2000-1
OPENSUSE-SU-2020_1993-1
OPENSUSE-SU-2020_2000-1
OPENSUSE-SU-2024:10589-1
OPENSUSE-SU-2024:11342-1
OPENSUSE-SU-2024:11343-1
OPENSUSE-SU-2024:11830-1
OPENSUSE-SU-2024:11847-1
OPENSUSE-SU-2024:12592-1
OPENSUSE-SU-2024:12900-1
OPENSUSE-SU-2024:13166-1
OPENSUSE-SU-2024:13720-1
OPENSUSE-SU-2024:13721-1
OPENSUSE-SU-2025:15123-1
OPENSUSE-SU-2026:10357-1
SUSE-SU-2020:0081-1
SUSE-SU-2020:0311-1
SUSE-SU-2020:0640-1
SUSE-SU-2020:0642-1
SUSE-SU-2020:2060-1
SUSE-SU-2020:3036-1
SUSE-SU-2020:3147-1
SUSE-SU-2020:3160-1

Affected Products

Puma
Suse