In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.
                
            Metrics
Affected Vendors & Products
References
        History
                    Sun, 13 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | epss 
 | epss 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: GitHub_M
Published: 2019-12-05T19:35:14
Updated: 2024-08-05T01:24:48.578Z
Reserved: 2019-09-24T00:00:00
Link: CVE-2019-16770
 Vulnrichment
                        Vulnrichment
                    No data.
 NVD
                        NVD
                    Status : Modified
Published: 2019-12-05T20:15:10.093
Modified: 2024-11-21T04:31:09.323
Link: CVE-2019-16770
 Redhat
                        Redhat