Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from Vendor (https://github.com/puma/puma) · only source for this CVE.
CVSS VectorVendor: https://github.com/puma/puma
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Impact
Puma is vulnerable to source IP spoofing when set_remote_address proxy_protocol: :v1 is enabled and persistent connections are used.
PROXY protocol v1 is a connection-level protocol. Support was added to Puma in v5.5.0. A proxy sends one PROXY header at the beginning of a TCP connection, before any HTTP data. Puma incorrectly re-parsed PROXY protocol headers after each keep-alive request on the same connection. An attacker able to send HTTP requests through a trusted proxy could therefore inject a second PROXY header between HTTP requests. Puma would treat the injected header as authoritative for the next request and overwrite REMOTE_ADDR.
This can mislead applications or middleware that use REMOTE_ADDR for security decisions, rate limiting, auditing, or allow/deny lists.
Only deployments that explicitly enable PROXY protocol v1 are affected, and will have set:
set_remote_address proxy_protocol: :v1Puma's default configuration is not affected. Deployments that do not use persistent connections to Puma are also not expected to be affected by this issue.
Patches
Users should upgrade to versions 7.2.1 or 8.0.2.
Workarounds
Disable PROXY protocol v1 parsing if it is not required:
# remove/comment this:
# set_remote_address proxy_protocol: :v1Users can also disable persistent connections to Puma, for example:
enable_keep_alives falseReferences
AnalysisAI
Source IP spoofing in Puma Ruby web server versions 5.5.0 through 7.2.0 and 8.0.0 through 8.0.1 allows remote attackers to overwrite REMOTE_ADDR by injecting a second PROXY protocol v1 header between keep-alive requests on a persistent connection. Only deployments that explicitly enable set_remote_address proxy_protocol: :v1 behind a trusted proxy are affected, and no public exploit identified at time of analysis. The flaw undermines any application or middleware logic that relies on client IP for access control, rate limiting, or auditing.
Technical ContextAI
Puma is a widely used multi-threaded Ruby HTTP server commonly fronted by reverse proxies such as HAProxy or nginx. The HAProxy PROXY protocol v1 is a connection-level mechanism in which the upstream proxy sends a single human-readable PROXY line once at the start of a TCP connection to convey the original client address. Puma's bug, classified as CWE-290 (Authentication Bypass by Spoofing), is that its parser re-evaluated PROXY headers at the start of every keep-alive request rather than only on connection establishment, so an attacker tunneled through the trusted proxy can smuggle a forged PROXY line as the first bytes of a subsequent request and have Puma adopt the spoofed source address. The CPE pkg:rubygems/puma confirms the affected component is the Ruby gem, and the issue is analogous to CVE-2025-31135 in go-guerrilla, cited in the advisory as prior art for the same parsing mistake.
RemediationAI
Vendor-released patch: upgrade to Puma 7.2.1 (for the 5.5.0-7.x branch) or 8.0.2 (for the 8.0.x branch) as published in GHSA-2vqw-3mp8-cgmx (https://github.com/puma/puma/security/advisories/GHSA-2vqw-3mp8-cgmx). If immediate upgrade is not possible, remove or comment out the set_remote_address proxy_protocol: :v1 directive in the Puma config, which fully closes the bug but loses the original client IP unless the proxy is reconfigured to forward it via a trusted HTTP header such as X-Forwarded-For (with the application then parsing that header instead). Alternatively, disable keep-alives with enable_keep_alives false, which eliminates the persistent-connection precondition but increases TCP handshake overhead and can hurt throughput under high concurrency. Until patched, audit application code paths that consume REMOTE_ADDR (Rack::Attack, admin IP allow-lists, audit logs) and treat them as untrusted.
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44427
GHSA-2vqw-3mp8-cgmx