Keepalive Connections Causing Denial Of Service in puma
Description
Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A puma server which received more concurrent keep-alive connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in puma 4.3.8 and 5.3.1. Setting queue_requests false also fixes the issue. This is not advised when using puma without a reverse proxy, such as nginx or apache, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Incomplete fix for CVE-2019-16770 in Puma allows greedy keep-alive connections to starve new connections, leading to denial of service.
Vulnerability
The fix for CVE-2019-16770 in Puma was incomplete. In Puma versions prior to 4.3.8 and 5.3.1, a server receiving more concurrent keep-alive connections than available threads in its threadpool would service only a subset of connections, denying service to the unserved ones. The original fix protected existing connections but not new ones. This affects all Puma versions in the 4.x and 5.x lines before the patched releases [1][2].
Exploitation
An attacker can exploit this by opening numerous persistent keep-alive connections to the Puma server, exceeding the threadpool size. The attacker requires network access to the server and no authentication. By saturating all threads with greedy persistent connections, new legitimate connections are starved and denied service. The attacker does not need to send any malicious payload, simply a large number of concurrent connections [1][2].
Impact
Successful exploitation results in a denial of service (DoS) condition. Legitimate clients cannot establish new connections or have their requests serviced, leading to service unavailability. The impact is on availability only; no data confidentiality or integrity is compromised [1][2].
Mitigation
The vulnerability is fixed in Puma 4.3.8 and 5.3.1. Users should upgrade to these versions or later. A workaround is to set queue_requests false, but this is not recommended without a reverse proxy (e.g., nginx, Apache) as it exposes the server to slow client attacks like slowloris. A git patch is available for unsupported versions [1][2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pumaRubyGems | < 4.3.8 | 4.3.8 |
pumaRubyGems | >= 5.0.0, < 5.3.1 | 5.3.1 |
Affected products
12- ghsa-coords11 versionspkg:gem/pumapkg:rpm/opensuse/ruby3.2-rubygem-puma-5&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-puma-5&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-puma&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/rubygem-puma&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015pkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3pkg:rpm/suse/rubygem-puma&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/rubygem-puma&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 4.3.8+ 10 more
- (no CPE)range: < 4.3.8
- (no CPE)range: < 5.6.5-1.7
- (no CPE)range: < 5.6.5-1.1
- (no CPE)range: < 4.3.11-150000.3.6.2
- (no CPE)range: < 4.3.11-150000.3.6.2
- (no CPE)range: < 4.3.11-150000.3.6.2
- (no CPE)range: < 4.3.11-150000.3.6.2
- (no CPE)range: < 4.3.11-150000.3.6.2
- (no CPE)range: < 4.3.11-150000.3.6.2
- (no CPE)range: < 2.16.0-3.12.1
- (no CPE)range: < 2.16.0-4.12.1
- puma/pumav5Range: < 4.3.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-q28m-8xjw-8vr5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29509ghsaADVISORY
- security.gentoo.org/glsa/202208-28ghsavendor-advisoryx_refsource_GENTOOWEB
- gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837ghsax_refsource_MISCWEB
- github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5ghsax_refsource_CONFIRMWEB
- github.com/puma/puma/security/policyghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2021-29509.ymlghsaWEB
- lists.debian.org/debian-lts-announce/2022/08/msg00015.htmlghsamailing-listx_refsource_MLISTWEB
- rubygems.org/gems/pumaghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.