Skip to main content

Puma CVE-2026-47737

| EUVDEUVD-2026-44427 HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-06-09 https://github.com/puma/puma GHSA-2vqw-3mp8-cgmx
7.5
CVSS 3.1 · Vendor: https://github.com/puma/puma
Share

Severity by source

Vendor (https://github.com/puma/puma) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from Vendor (https://github.com/puma/puma) · only source for this CVE.

CVSS VectorVendor: https://github.com/puma/puma

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 09, 2026 - 00:30 vuln.today
Analysis Generated
Jun 09, 2026 - 00:30 vuln.today

DescriptionCVE.org

Impact

Puma is vulnerable to source IP spoofing when set_remote_address proxy_protocol: :v1 is enabled and persistent connections are used.

PROXY protocol v1 is a connection-level protocol. Support was added to Puma in v5.5.0. A proxy sends one PROXY header at the beginning of a TCP connection, before any HTTP data. Puma incorrectly re-parsed PROXY protocol headers after each keep-alive request on the same connection. An attacker able to send HTTP requests through a trusted proxy could therefore inject a second PROXY header between HTTP requests. Puma would treat the injected header as authoritative for the next request and overwrite REMOTE_ADDR.

This can mislead applications or middleware that use REMOTE_ADDR for security decisions, rate limiting, auditing, or allow/deny lists.

Only deployments that explicitly enable PROXY protocol v1 are affected, and will have set:

ruby
set_remote_address proxy_protocol: :v1

Puma's default configuration is not affected. Deployments that do not use persistent connections to Puma are also not expected to be affected by this issue.

Patches

Users should upgrade to versions 7.2.1 or 8.0.2.

Workarounds

Disable PROXY protocol v1 parsing if it is not required:

ruby
# remove/comment this:
# set_remote_address proxy_protocol: :v1

Users can also disable persistent connections to Puma, for example:

ruby
enable_keep_alives false

References

AnalysisAI

Source IP spoofing in Puma Ruby web server versions 5.5.0 through 7.2.0 and 8.0.0 through 8.0.1 allows remote attackers to overwrite REMOTE_ADDR by injecting a second PROXY protocol v1 header between keep-alive requests on a persistent connection. Only deployments that explicitly enable set_remote_address proxy_protocol: :v1 behind a trusted proxy are affected, and no public exploit identified at time of analysis. The flaw undermines any application or middleware logic that relies on client IP for access control, rate limiting, or auditing.

Technical ContextAI

Puma is a widely used multi-threaded Ruby HTTP server commonly fronted by reverse proxies such as HAProxy or nginx. The HAProxy PROXY protocol v1 is a connection-level mechanism in which the upstream proxy sends a single human-readable PROXY line once at the start of a TCP connection to convey the original client address. Puma's bug, classified as CWE-290 (Authentication Bypass by Spoofing), is that its parser re-evaluated PROXY headers at the start of every keep-alive request rather than only on connection establishment, so an attacker tunneled through the trusted proxy can smuggle a forged PROXY line as the first bytes of a subsequent request and have Puma adopt the spoofed source address. The CPE pkg:rubygems/puma confirms the affected component is the Ruby gem, and the issue is analogous to CVE-2025-31135 in go-guerrilla, cited in the advisory as prior art for the same parsing mistake.

RemediationAI

Vendor-released patch: upgrade to Puma 7.2.1 (for the 5.5.0-7.x branch) or 8.0.2 (for the 8.0.x branch) as published in GHSA-2vqw-3mp8-cgmx (https://github.com/puma/puma/security/advisories/GHSA-2vqw-3mp8-cgmx). If immediate upgrade is not possible, remove or comment out the set_remote_address proxy_protocol: :v1 directive in the Puma config, which fully closes the bug but loses the original client IP unless the proxy is reconfigured to forward it via a trusted HTTP header such as X-Forwarded-For (with the application then parsing that header instead). Alternatively, disable keep-alives with enable_keep_alives false, which eliminates the persistent-connection precondition but increases TCP handshake overhead and can hurt throughput under high concurrency. Until patched, audit application code paths that consume REMOTE_ADDR (Rack::Attack, admin IP allow-lists, audit logs) and treat them as untrusted.

Share

CVE-2026-47737 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy