GHSA-qpgp-93vx-g8v8

### Impact

[PROXY protocol support for Puma](https://github.com/puma/puma/issues/2651) was added in version 5.5.0.

When PROXY protocol v1 support is enabled, Puma reads incoming bytes into an internal buffer. It waits for "\r\n" to determine whether a PROXY v1 line is present. If an attacker opens a TCP connection and continuously sends bytes without CRLF, Puma keeps appending to this pre-parse buffer.

This can cause unbounded in-process memory growth and additional CPU cost from repeatedly scanning the growing buffer for CRLF. A single, unauthenticated TCP connection can drive significant memory growth and may cause process/container OOM or degraded availability.

**Only Puma servers using the following non-default config are affected:**

```ruby set_remote_address proxy_protocol: :v1 ```

### Patches

Users should upgrade to versions 7.2.1 or 8.0.2.

### Workarounds

- Disable PROXY protocol v1 parsing if it is not required:

```ruby # remove/comment this: # set_remote_address proxy_protocol: :v1 ```

- Restrict direct network access to Puma listeners using PROXY protocol: - Only allow trusted load balancers/reverse proxies to connect. - Block arbitrary client TCP access with firewall/security group rules.

### Resources - [HAProxy PROXY protocol specification](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) - [CWE-400: Uncontrolled Resource Consumption](https://cwe.mitre.org/data/definitions/400.html) - [CWE-770: Allocation of Resources Without Limits or Throttling](https://cwe.mitre.org/data/definitions/770.html) - [Puma `set_remote_address` documentation](https://github.com/puma/puma/blob/master/lib/puma/dsl.rb) - [Puma client PROXY protocol parsing code](https://github.com/puma/puma/blob/master/lib/puma/client.rb) - [Puma constants, including `PROXY_PROTOCOL_V1_REGEX`](https://github.com/puma/puma/blob/master/lib/puma/const.rb)