Zurück zur CVE-Übersicht
CVE-2026-47736
HIGH(7.5)CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Risk Signal Score29/100 — MITTEL
- CVSS 7.5 — Hoch
- Weniger als 24 Stunden alt
Beschreibung
Puma is a Ruby/Rack web server built for parallelism. From 5.5.0 until 7.2.1 and 8.0.2, when PROXY protocol v1 support is enabled, Puma reads incoming bytes into an internal buffer while waiting for CRLF to determine whether a PROXY v1 line is present, allowing an attacker that continuously sends bytes without CRLF to cause unbounded in-process memory growth and additional CPU cost from repeatedly scanning the growing buffer. This issue is fixed in versions 7.2.1 and 8.0.2.
GitHub Advisories
GHSA-qpgp-93vx-g8v8HIGH
Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
rubygems/puma→ 8.0.2
GitHub AdvisoryReferenzen
- https://github.com/puma/puma/commit/439c6136d9c2275721b7864db3ee78af7c80889f
- https://github.com/puma/puma/commit/ebe9db3929ab8299d19c8f5b41e8ef4f4b22fa58
- https://github.com/puma/puma/releases/tag/v7.2.1
- https://github.com/puma/puma/releases/tag/v8.0.2
- https://github.com/puma/puma/security/advisories/GHSA-qpgp-93vx-g8v8