PT-2026-47625 · Rubygems · Puma
Published
2026-06-08
·
Updated
2026-06-08
·
CVE-2026-47736
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Impact
PROXY protocol support for Puma was added in version 5.5.0.
When PROXY protocol v1 support is enabled, Puma reads incoming bytes into an internal buffer. It waits for "r
" to determine whether a PROXY v1 line is present. If an attacker opens a TCP connection and continuously sends bytes without CRLF, Puma keeps appending to this pre-parse buffer.
This can cause unbounded in-process memory growth and additional CPU cost from repeatedly scanning the growing buffer for CRLF. A single, unauthenticated TCP connection can drive significant memory growth and may cause process/container OOM or degraded availability.
Only Puma servers using the following non-default config are affected:
set remote address proxy protocol: :v1Patches
Users should upgrade to versions 7.2.1 or 8.0.2.
Workarounds
- Disable PROXY protocol v1 parsing if it is not required:
# remove/comment this:
# set remote address proxy protocol: :v1- Restrict direct network access to Puma listeners using PROXY protocol:
- Only allow trusted load balancers/reverse proxies to connect.
- Block arbitrary client TCP access with firewall/security group rules.
Resources
Exploit
Fix
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Puma