{"id":"GHSA-7xx3-m584-x994","summary":"A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack","details":"## Keepalive thread overload/DoS\n\n### Impact\n\nA poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack.\n\nIf more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.\n\n### Patches\n\nThis vulnerability is patched in Puma 4.3.1 and 3.12.2.\n\n### Workarounds\n\nReverse proxies in front of Puma could be configured to always allow less than X keepalive connections to a Puma cluster or process, where X is the number of threads configured in Puma's thread pool.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue at [puma](github.com/puma/puma).","aliases":["CVE-2019-16770"],"modified":"2026-02-04T02:25:00.298203Z","published":"2019-12-05T19:26:37Z","related":["CVE-2019-16770"],"database_specific":{"severity":"MODERATE","nvd_published_at":"2019-12-05T20:15:00Z","cwe_ids":["CWE-770"],"github_reviewed":true,"github_reviewed_at":"2020-06-16T21:23:51Z"},"references":[{"type":"WEB","url":"https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16770"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-7xx3-m584-x994"},{"type":"WEB","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2019-16770.yml"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html"}],"affected":[{"package":{"name":"puma","ecosystem":"RubyGems","purl":"pkg:gem/puma"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.12.2"}]}],"versions":["0.8.0","0.8.1","0.8.2","0.9.0","0.9.1","0.9.2","0.9.3","0.9.4","0.9.5","1.0.0","1.1.0","1.1.1","1.2.0","1.2.1","1.2.2","1.3.0","1.3.1","1.4.0","1.5.0","1.6.0","1.6.1","1.6.2","1.6.3","2.0.0","2.0.0.b1","2.0.0.b2","2.0.0.b3","2.0.0.b4","2.0.0.b5","2.0.0.b6","2.0.0.b7","2.0.1","2.1.0","2.1.1","2.10.0","2.10.1","2.10.2","2.11.0","2.11.1","2.11.2","2.11.3","2.12.0","2.12.1","2.12.2","2.12.3","2.13.0","2.13.1","2.13.2","2.13.3","2.13.4","2.14.0","2.15.0","2.15.1","2.15.2","2.15.3","2.16.0","2.2.0","2.2.1","2.2.2","2.3.0","2.3.1","2.3.2","2.4.0","2.4.1","2.5.0","2.5.1","2.6.0","2.7.0","2.7.1","2.8.0","2.8.1","2.8.2","2.9.0","2.9.1","2.9.2","3.0.0","3.0.0.rc1","3.0.1","3.0.2","3.1.0","3.1.1","3.10.0","3.11.0","3.11.1","3.11.2","3.11.3","3.11.4","3.12.0","3.12.1","3.2.0","3.3.0","3.4.0","3.5.0","3.5.1","3.5.2","3.6.0","3.6.1","3.6.2","3.7.0","3.7.1","3.8.0","3.8.1","3.8.2","3.9.0","3.9.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-7xx3-m584-x994/GHSA-7xx3-m584-x994.json"}},{"package":{"name":"puma","ecosystem":"RubyGems","purl":"pkg:gem/puma"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.0.0"},{"fixed":"4.3.1"}]}],"versions":["4.0.0","4.0.1","4.1.0","4.1.1","4.2.0","4.2.1","4.3.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-7xx3-m584-x994/GHSA-7xx3-m584-x994.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}