CVE-2019-16770

Potential DOS attack in Puma

Description

In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.

Remediation

Workaround:

  • Reverse proxies in front of Puma could be configured to always allow less than X keepalive connections to a Puma cluster or process, where X is the number of threads configured in Puma's thread pool.

Category

5.3
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.36%
Third-Party Advisory github.com Third-Party Advisory debian.org
Affected: puma puma
Published at:
Updated at:

References

Link Tags
https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994 mitigation third party advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html third party advisory mailing list

Frequently Asked Questions

What is the severity of CVE-2019-16770?
CVE-2019-16770 has been scored as a medium severity vulnerability.
How to fix CVE-2019-16770?
As a workaround for remediating CVE-2019-16770: Reverse proxies in front of Puma could be configured to always allow less than X keepalive connections to a Puma cluster or process, where X is the number of threads configured in Puma's thread pool.
Is CVE-2019-16770 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2019-16770 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2019-16770?
CVE-2019-16770 affects puma puma.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.