Platform
ruby
Component
puma
Fixed in
3.12.2
4.3.1
3.12.2
CVE-2019-16770 describes a Denial of Service (DoS) vulnerability in the Puma web server. An attacker can exploit this flaw by sending a large number of keepalive requests, potentially overwhelming Puma's reactor and preventing legitimate requests from being processed. This vulnerability affects versions of Puma up to and including 3.9.1, and patches are available in Puma 4.3.1 and 3.12.2.
The primary impact of CVE-2019-16770 is a denial of service. A successful attack can render the Puma web server unresponsive, preventing users from accessing the applications it serves. This can lead to significant disruption of service and potential financial losses. The vulnerability stems from Puma's handling of keepalive connections; if an attacker can open more keepalive connections than Puma has available threads, subsequent connections will be queued indefinitely, effectively starving the server. This is similar to resource exhaustion attacks seen in other web servers, where an attacker attempts to exhaust available resources to cause a crash or outage.
CVE-2019-16770 was published on December 5, 2019. There is no indication of this vulnerability being actively exploited in the wild. It is not listed on KEV (Known Exploited Vulnerabilities) as of the current date. The EPSS (Exploit Prediction Score System) score is likely low, reflecting the lack of public exploits and the relatively simple nature of the attack. No public proof-of-concept (POC) code has been widely reported.
Exploit Status
EPSS
1.59% (82% percentile)
CVSS Vector
The recommended mitigation for CVE-2019-16770 is to upgrade to Puma version 4.3.1 or 3.12.2, which contain the fix. If upgrading is not immediately feasible, a workaround involves configuring a reverse proxy (e.g., Nginx, Apache) in front of Puma to limit the number of keepalive connections allowed to the Puma cluster or process. The limit should be set to a value less than the number of threads Puma is configured to use. For example, if Puma has 10 threads, the reverse proxy should be configured to allow a maximum of 9 keepalive connections. After upgrading, confirm the fix by sending a high volume of keepalive requests to the Puma server and verifying that it remains responsive.
Update the Puma gem to version 4.3.1 or higher, or to version 3.12.2 or higher. This will fix the denial of service vulnerability caused by malicious clients monopolizing Puma's reactor with keepalive requests. Run `gem update puma` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-16770 is a Denial of Service vulnerability in Puma versions up to 3.9.1. A malicious client can overwhelm Puma's reactor with keepalive requests, causing a denial of service.
You are affected if you are running Puma version 3.9.1 or earlier. Check your Puma version using puma -v.
Upgrade to Puma version 4.3.1 or 3.12.2. As a temporary workaround, configure a reverse proxy to limit keepalive connections.
There is currently no evidence of CVE-2019-16770 being actively exploited in the wild.
Refer to the Puma security advisory for details: https://github.com/puma/puma/security/advisories/GHSA-5g43-x455-744g
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.