Memory Growth Vulnerability in Puma Web Server Affecting Multiple Versions
CVE-2026-47736
7.5HIGH
What is CVE-2026-47736?
Puma, the Ruby/Rack web server known for its architecture designed for concurrency, has a vulnerability that arises when PROXY protocol v1 support is enabled. Under certain conditions, this vulnerability allows an attacker to send continuous data without the necessary CRLF termination, leading to unbounded growth of an internal memory buffer. This can result in performance degradation and increased CPU usage due to the repeated scans of the growing buffer. Versions 7.2.1 and 8.0.2 have been updated to address this issue, ensuring better resource management during operations.
Affected Version(s)
puma >= 5.5.0, < 7.2.1 < 5.5.0, 7.2.1
puma >= 8.0.0, < 8.0.2 < 8.0.0, 8.0.2
