[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2021-29509":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T08:55:32.481Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":109,"aliases":110,"duplicate_of":9,"upstream":111,"downstream":112,"duplicates":133,"related":134,"reserved_at":9,"published_at":141,"modified_at":142,"state":143,"summary":144,"references_raw":153,"kevs":188,"epss":189,"epss_history":192,"metrics":448,"affected":460},"CVE-2021-29509","Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.",null,[11,39],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":9,"capec":18},"CWE-667","Improper Locking","The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.","weakness","Draft","Class",[19,31,35],{"id":20,"name":21,"techniques":22},"CAPEC-25","Forced Deadlock",[23],{"id":24,"name":25,"tactics":26,"countermeasures":30},"T1499.004","Application or System Exploitation",[27],{"id":28,"name":29},"TA0105","Impact",[],{"id":32,"name":33,"techniques":34},"CAPEC-26","Leveraging Race Conditions",[],{"id":36,"name":37,"techniques":38},"CAPEC-27","Leveraging Race Conditions via Symbolic Links",[],{"_key":40,"id":40,"name":41,"description":42,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":43,"capec":44},"CWE-400","Uncontrolled Resource Consumption","The product does not properly control the allocation and maintenance of a limited resource.","High",[45,49,105],{"id":46,"name":47,"techniques":48},"CAPEC-147","XML Ping of the Death",[],{"id":50,"name":51,"techniques":52},"CAPEC-227","Sustained Client Engagement",[53],{"id":54,"name":55,"tactics":56,"countermeasures":58},"T1499","Endpoint Denial of Service",[57],{"id":28,"name":29},[59,64,68,72,76,80,84,88,92,96,101],{"id":60,"name":61,"tactic":62},"D3-UGLPA","User Geolocation Logon Pattern Analysis",{"name":63},"Detect",{"id":65,"name":66,"tactic":67},"D3-PMAD","Protocol Metadata Anomaly Detection",{"name":63},{"id":69,"name":70,"tactic":71},"D3-CSPP","Client-server Payload Profiling",{"name":63},{"id":73,"name":74,"tactic":75},"D3-PHDURA","Per Host Download-Upload Ratio Analysis",{"name":63},{"id":77,"name":78,"tactic":79},"D3-NTSA","Network Traffic Signature Analysis",{"name":63},{"id":81,"name":82,"tactic":83},"D3-APCA","Application Protocol Command Analysis",{"name":63},{"id":85,"name":86,"tactic":87},"D3-NTCD","Network Traffic Community Deviation",{"name":63},{"id":89,"name":90,"tactic":91},"D3-RTSD","Remote Terminal Session Detection",{"name":63},{"id":93,"name":94,"tactic":95},"D3-ISVA","Inbound Session Volume Analysis",{"name":63},{"id":97,"name":98,"tactic":99},"D3-NTF","Network Traffic Filtering",{"name":100},"Isolate",{"id":102,"name":103,"tactic":104},"D3-ITF","Inbound Traffic Filtering",{"name":100},{"id":106,"name":107,"techniques":108},"CAPEC-492","Regular Expression Exponential Blowup",[],[],[],[],[113,115,117,119,121,123,125,127,129,131],{"_key":114},"UBUNTU-CVE-2021-29509",{"_key":116},"SUSE-SU-2022:1515-1",{"_key":118},"SUSE-SU-2021:2761-1",{"_key":120},"SUSE-SU-2021:2914-1",{"_key":122},"OPENSUSE-SU-2024:12592-1",{"_key":124},"OPENSUSE-SU-2024:13166-1",{"_key":126},"OPENSUSE-SU-2024:13721-1",{"_key":128},"DLA-3083-1",{"_key":130},"DEBIAN-CVE-2021-29509",{"_key":132},"RHSA-2021:4702",[],[135,136,137,138,139,140],{"_key":116},{"_key":118},{"_key":120},{"_key":122},{"_key":124},{"_key":126},"2021-05-11T16:50:11.000Z","2024-08-03T22:11:05.438Z","Modified",{"cisa_kev":145,"cisa_ransomware":145,"cisa_vendor":9,"epss_severity":146,"epss_score":147,"severity":148,"severity_score":149,"severity_version":150,"severity_source":151,"severity_vector":152,"severity_status":143},false,"low",0.01358,"high",7.5,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",[154,162,167,171,176,182],{"url":155,"sources":156,"tags":158},"https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5",[151,157],"nvd",[159,160,161],"X Refsource CONFIRM","Patch","Third Party Advisory",{"url":163,"sources":164,"tags":165},"https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837",[151,157],[166,160,161],"X Refsource MISC",{"url":168,"sources":169,"tags":170},"https://github.com/puma/puma/security/policy",[151,157],[166,161],{"url":172,"sources":173,"tags":174},"https://rubygems.org/gems/puma",[151,157],[166,175,161],"Product",{"url":177,"sources":178,"tags":179},"https://security.gentoo.org/glsa/202208-28",[151,157],[180,181,161],"Vendor Advisory","X Refsource GENTOO",{"url":183,"sources":184,"tags":185},"https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html",[151,157],[186,187,161],"Mailing List","X Refsource MLIST",[],{"date":190,"score":147,"percentile":191},"2026-06-04",0.8048,[193,196,199,202,205,208,211,214,217,220,223,226,229,231,234,237,240,243,246,249,252,254,257,259,262,265,267,270,273,276,279,282,285,288,291,294,297,300,303,306,309,311,313,315,318,321,324,327,330,333,335,338,341,344,347,350,353,356,358,361,364,367,370,373,376,378,381,384,386,389,392,394,397,399,402,405,408,410,413,416,419,422,425,428,431,434,437,440,443,445],{"date":194,"score":147,"percentile":195},"2025-11-04",0.79508,{"date":197,"score":147,"percentile":198},"2025-11-05",0.7951,{"date":200,"score":147,"percentile":201},"2025-11-06",0.79512,{"date":203,"score":147,"percentile":204},"2025-11-07",0.79524,{"date":206,"score":147,"percentile":207},"2025-11-08",0.79531,{"date":209,"score":147,"percentile":210},"2025-11-09",0.79528,{"date":212,"score":147,"percentile":213},"2025-11-10",0.79516,{"date":215,"score":147,"percentile":216},"2025-11-11",0.79519,{"date":218,"score":147,"percentile":219},"2025-11-12",0.79535,{"date":221,"score":147,"percentile":222},"2025-11-13",0.79543,{"date":224,"score":147,"percentile":225},"2025-11-14",0.7955,{"date":227,"score":147,"percentile":228},"2025-11-15",0.79549,{"date":230,"score":147,"percentile":225},"2025-11-16",{"date":232,"score":147,"percentile":233},"2025-11-17",0.79547,{"date":235,"score":147,"percentile":236},"2025-11-18",0.78479,{"date":238,"score":147,"percentile":239},"2025-11-19",0.78487,{"date":241,"score":147,"percentile":242},"2025-11-20",0.78494,{"date":244,"score":147,"percentile":245},"2025-11-21",0.79568,{"date":247,"score":147,"percentile":248},"2025-11-22",0.79573,{"date":250,"score":147,"percentile":251},"2025-11-23",0.79564,{"date":253,"score":147,"percentile":251},"2025-11-24",{"date":255,"score":147,"percentile":256},"2025-11-25",0.79566,{"date":258,"score":147,"percentile":245},"2025-11-26",{"date":260,"score":147,"percentile":261},"2025-11-27",0.7957,{"date":263,"score":147,"percentile":264},"2025-11-28",0.79562,{"date":266,"score":147,"percentile":245},"2025-11-29",{"date":268,"score":147,"percentile":269},"2025-11-30",0.79567,{"date":271,"score":147,"percentile":272},"2025-12-01",0.7966,{"date":274,"score":147,"percentile":275},"2025-12-02",0.79661,{"date":277,"score":147,"percentile":278},"2025-12-03",0.79663,{"date":280,"score":147,"percentile":281},"2025-12-04",0.79569,{"date":283,"score":147,"percentile":284},"2025-12-05",0.79572,{"date":286,"score":147,"percentile":287},"2025-12-06",0.79575,{"date":289,"score":147,"percentile":290},"2025-12-07",0.79577,{"date":292,"score":147,"percentile":293},"2025-12-08",0.79581,{"date":295,"score":147,"percentile":296},"2025-12-09",0.79597,{"date":298,"score":147,"percentile":299},"2025-12-10",0.79623,{"date":301,"score":147,"percentile":302},"2025-12-11",0.79635,{"date":304,"score":147,"percentile":305},"2025-12-12",0.79653,{"date":307,"score":147,"percentile":308},"2025-12-13",0.79654,{"date":310,"score":147,"percentile":308},"2025-12-14",{"date":312,"score":147,"percentile":305},"2025-12-15",{"date":314,"score":147,"percentile":278},"2025-12-16",{"date":316,"score":147,"percentile":317},"2025-12-17",0.79674,{"date":319,"score":147,"percentile":320},"2025-12-18",0.79694,{"date":322,"score":147,"percentile":323},"2025-12-19",0.79704,{"date":325,"score":147,"percentile":326},"2025-12-20",0.79697,{"date":328,"score":147,"percentile":329},"2025-12-21",0.79689,{"date":331,"score":147,"percentile":332},"2025-12-22",0.7969,{"date":334,"score":147,"percentile":332},"2025-12-23",{"date":336,"score":147,"percentile":337},"2025-12-24",0.79705,{"date":339,"score":147,"percentile":340},"2025-12-25",0.79726,{"date":342,"score":147,"percentile":343},"2025-12-26",0.79721,{"date":345,"score":147,"percentile":346},"2025-12-27",0.79765,{"date":348,"score":147,"percentile":349},"2025-12-28",0.79709,{"date":351,"score":147,"percentile":352},"2025-12-29",0.79706,{"date":354,"score":147,"percentile":355},"2025-12-30",0.79712,{"date":357,"score":147,"percentile":340},"2025-12-31",{"date":359,"score":147,"percentile":360},"2026-01-01",0.79817,{"date":362,"score":147,"percentile":363},"2026-01-02",0.79814,{"date":365,"score":147,"percentile":366},"2026-01-03",0.79811,{"date":368,"score":147,"percentile":369},"2026-01-04",0.79715,{"date":371,"score":147,"percentile":372},"2026-01-05",0.79713,{"date":374,"score":147,"percentile":375},"2026-01-06",0.79716,{"date":377,"score":147,"percentile":343},"2026-01-07",{"date":379,"score":147,"percentile":380},"2026-01-08",0.7973,{"date":382,"score":147,"percentile":383},"2026-01-09",0.79731,{"date":385,"score":147,"percentile":383},"2026-01-10",{"date":387,"score":147,"percentile":388},"2026-01-11",0.79723,{"date":390,"score":147,"percentile":391},"2026-01-12",0.79708,{"date":393,"score":147,"percentile":352},"2026-01-13",{"date":395,"score":147,"percentile":396},"2026-01-14",0.79727,{"date":398,"score":147,"percentile":380},"2026-01-15",{"date":400,"score":147,"percentile":401},"2026-01-16",0.79739,{"date":403,"score":147,"percentile":404},"2026-01-17",0.79747,{"date":406,"score":147,"percentile":407},"2026-01-18",0.79738,{"date":409,"score":147,"percentile":383},"2026-01-19",{"date":411,"score":147,"percentile":412},"2026-01-20",0.79732,{"date":414,"score":147,"percentile":415},"2026-01-21",0.79741,{"date":417,"score":147,"percentile":418},"2026-01-22",0.79752,{"date":420,"score":147,"percentile":421},"2026-01-23",0.7978,{"date":423,"score":147,"percentile":424},"2026-01-24",0.79791,{"date":426,"score":147,"percentile":427},"2026-01-25",0.79782,{"date":429,"score":147,"percentile":430},"2026-01-26",0.79781,{"date":432,"score":147,"percentile":433},"2026-01-27",0.79783,{"date":435,"score":147,"percentile":436},"2026-01-28",0.79777,{"date":438,"score":147,"percentile":439},"2026-01-29",0.79776,{"date":441,"score":147,"percentile":442},"2026-01-30",0.79778,{"date":444,"score":147,"percentile":433},"2026-01-31",{"date":446,"score":147,"percentile":447},"2026-02-01",0.79877,[449,454],{"source":151,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":450,"cvss_v4_0":9},{"baseScore":149,"baseSeverity":451,"vectorString":152,"impactScore":452,"exploitabilityScore":453},"HIGH",6,10,{"source":157,"cvss_v2_0":455,"cvss_v3_0":9,"cvss_v3_1":459,"cvss_v4_0":9},{"baseScore":456,"baseSeverity":9,"vectorString":457,"impactScore":458,"exploitabilityScore":453},5,"AV:N/AC:L/Au:N/C:N/I:N/A:P",2.9,{"baseScore":149,"baseSeverity":451,"vectorString":152,"impactScore":452,"exploitabilityScore":453},[461,470],{"ecosystem":9,"name":462,"vendor":463,"product":464,"cpe_part":465,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":466},"debian linux","debian","debian_linux","o",[467],{"version":468,"is_range":145,"range_type":469,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"10.0","cpe",{"ecosystem":9,"name":471,"vendor":471,"product":471,"cpe_part":472,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":473},"puma","a",[474,479],{"version":475,"is_range":476,"range_type":469,"version_start":9,"version_start_type":9,"version_end":477,"version_end_type":478,"fixed_in":9},"\u003C 4.3.8",true,"4.3.8","excluding",{"version":480,"is_range":476,"range_type":469,"version_start":481,"version_start_type":482,"version_end":483,"version_end_type":478,"fixed_in":9},">= 5.0.0, \u003C 5.3.1","5.0.0","including","5.3.1"]