Impact "PROXY protocol support for Puma" (https://github.com/puma/puma/issues/2651) was added in version 5.5.0. When PROXY protocol v1 support is enabled, Puma reads incoming bytes into an internal buffer. It waits for "\r\n" to determine whether a PROXY v1 line is present. If an attacker opens a TCP connection and continuously sends bytes without CRLF, Puma keeps appending to this pre-parse buffer. This can cause unbounded in-process memory growth and additional CPU cost from repeatedly scanning the growing buffer for CRLF. A single, unauthenticated TCP connection can drive significant memory growth and may cause process/container OOM or degraded availability. Only Puma servers using the following non-default config are affected: set_remote_address proxy_protocol: :v1 Patches Users should upgrade to versions 7.2.1 or 8.0.2. Workarounds - Disable PROXY protocol v1 parsing if it is not required: remove/comment this: set_remote_address proxy_protocol: :v1 - Restrict direct network access to Puma listeners using PROXY protocol: - Only allow trusted load balancers/reverse proxies to connect. - Block arbitrary client TCP access with firewall/security group rules. Resources - "HAProxy PROXY protocol specification" (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) - "CWE-400: Uncontrolled Resource Consumption" (https://cwe.mitre.org/data/definitions/400.html) - "CWE-770: Allocation of Resources Without Limits or Throttling" (https://cwe.mitre.org/data/definitions/770.html) - "Puma "set_remote_address" documentation" (https://github.com/puma/puma/blob/master/lib/puma/dsl.rb) - "Puma client PROXY protocol parsing code" (https://github.com/puma/puma/blob/master/lib/puma/client.rb) - "Puma constants, including "PROXY_PROTOCOL_V1_REGEX"" (https://github.com/puma/puma/blob/master/lib/puma/const.rb)