7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29509

GHSA ID

GHSA-q28m-8xjw-8vr5

EPSS Score

0.38169%

CWE

CWE-400

Published

5/18/2021

Updated

5/16/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-29509

CVE-2021-29509: Puma's Keepalive Connections Causing Denial Of Service

This vulnerability is related to CVE-2019-16770.

Impact

The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster.

A puma server which received more concurrent keep-alive connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.

Patches

This problem has been fixed in puma 4.3.8 and 5.3.1.

Workarounds

Setting queue_requests false also fixes the issue. This is not advised when using puma without a reverse proxy, such as nginx or apache, because you will open yourself to slow client attacks (e.g. slowloris).

The fix is very small. A git patch is available here for those using unsupported versions of Puma.

For more information

If you have any questions or comments about this advisory:

Open an issue in Puma.
To report problems with this fix or to report another vulnerability, see our security policy.

Acknowledgements

Thank you to @MSP-Greg, @wjordan and @evanphx for their review on this issue.

Thank you to @ioquatix for providing a modified fork of wrk which made debugging this issue much easier.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29509

GHSA ID

GHSA-q28m-8xjw-8vr5

EPSS Score

0.38169%

CWE

CWE-400

Published

5/18/2021

Updated

5/16/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
puma	rubygems	<= 4.3.7	4.3.8
puma	rubygems	>= 5.0.0, <= 5.3.0	5.3.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from incomplete handling of keepalive connections in Puma's request processing loop. The git patch shows modifications in lib/puma/server.rb around the request counter and keepalive management logic. The original code didn't properly enforce the max_fast_inline limit across all worker processes in clustered mode, allowing persistent connections to monopolize all available threads. The vulnerable function is process_client where connection reset and request counting occurs, as evidenced by the patch modifying this area to add proper cluster-wide starvation prevention.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is vuln*r**ility is r*l*t** to [*V*-****-*****](*ttps://*it*u*.*om/pum*/pum*/s**urity/**visori*s/**S*-*xx*-m***-x***). ### Imp**t T** *ix *or *V*-****-***** w*s in*ompl*t*. T** ori*in*l *ix only prot**t** *xistin* *onn**tions t**t *** *lr***y ***

Reasoning

T** vuln*r**ility st*ms *rom in*ompl*t* **n*lin* o* k**p*liv* *onn**tions in Pum*'s r*qu*st pro**ssin* loop. T** *it p*t** s*ows mo*i*i**tions in li*/pum*/s*rv*r.r* *roun* t** r*qu*st *ount*r *n* k**p*liv* m*n***m*nt lo*i*. T** ori*in*l *o** *i*n't p

7.5

Basic Information

Concerned about an active attack path?

CVE-2021-29509: Puma's Keepalive Connections Causing Denial Of Service

Impact

Patches

Workarounds

For more information

Acknowledgements

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI