Resource exhaustion in Puma
CVE-2026-47736
Puma is a Ruby/Rack web server built for parallelism. From 5.5.0 until 7.2.1 and 8.0.2, when PROXY protocol v1 support is enabled, Puma reads incoming bytes into an internal buffer while waiting for CRLF to determine whether a PROXY v1 lin…
Vulnerability class: DoS (Denial of Service)
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Affected products
- Puma — versions >= 5.5.0, < 7.2.1, >= 8.0.0, < 8.0.2
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_MISC)
- security-advisories@github.com (x_refsource_MISC)
Frequently asked questions
- What is CVE-2026-47736?
- CVE-2026-47736 is a high-severity vulnerability in Puma, classified under Uncontrolled Resource Consumption. CVSS score: 7.5/10. Published 2026-07-14.
- How severe is CVE-2026-47736?
- High severity. CVSS v3 base score is 7.5 out of 10.