GHSA-2VQW-3MP8-CGMX

Vulnerability from github – Published: 2026-06-09 00:09 – Updated: 2026-06-09 00:09
VLAI
Summary
Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections
Details

Impact

Puma is vulnerable to source IP spoofing when set_remote_address proxy_protocol: :v1 is enabled and persistent connections are used.

PROXY protocol v1 is a connection-level protocol. Support was added to Puma in v5.5.0. A proxy sends one PROXY header at the beginning of a TCP connection, before any HTTP data. Puma incorrectly re-parsed PROXY protocol headers after each keep-alive request on the same connection. An attacker able to send HTTP requests through a trusted proxy could therefore inject a second PROXY header between HTTP requests. Puma would treat the injected header as authoritative for the next request and overwrite REMOTE_ADDR.

This can mislead applications or middleware that use REMOTE_ADDR for security decisions, rate limiting, auditing, or allow/deny lists.

Only deployments that explicitly enable PROXY protocol v1 are affected, and will have set:

set_remote_address proxy_protocol: :v1

Puma's default configuration is not affected. Deployments that do not use persistent connections to Puma are also not expected to be affected by this issue.

Patches

Users should upgrade to versions 7.2.1 or 8.0.2.

Workarounds

Disable PROXY protocol v1 parsing if it is not required:

ruby # remove/comment this: # set_remote_address proxy_protocol: :v1

Users can also disable persistent connections to Puma, for example:

enable_keep_alives false

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "puma"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "puma"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.5.0"
            },
            {
              "fixed": "7.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47737"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290",
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-09T00:09:44Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nPuma is vulnerable to source IP spoofing when `set_remote_address proxy_protocol: :v1` is enabled and persistent connections are used.\n\nPROXY protocol v1 is a connection-level protocol. [Support was added to Puma in v5.5.0](https://github.com/puma/puma/issues/2651). A proxy sends one PROXY header at the beginning of a TCP connection, before any HTTP data. Puma incorrectly re-parsed PROXY protocol headers after each keep-alive request on the same connection. An attacker able to send HTTP requests through a trusted proxy could therefore inject a second PROXY header between HTTP requests. Puma would treat the injected header as authoritative for the next request and overwrite `REMOTE_ADDR`.\n\nThis can mislead applications or middleware that use `REMOTE_ADDR` for security decisions, rate limiting, auditing, or allow/deny lists.\n\n**Only deployments that explicitly enable PROXY protocol v1 are affected**, and will have set:\n\n```ruby\nset_remote_address proxy_protocol: :v1\n```\n\nPuma\u0027s default configuration is not affected. Deployments that do not use persistent connections to Puma are also not expected to be affected by this issue.\n\n### Patches\n\nUsers should upgrade to versions 7.2.1 or 8.0.2.\n\n### Workarounds\n\nDisable PROXY protocol v1 parsing if it is not required:\n\n ```ruby\n   # remove/comment this:\n   # set_remote_address proxy_protocol: :v1\n ```\n\nUsers can also disable persistent connections to Puma, for example:\n\n```ruby\nenable_keep_alives false\n```\n\n### References\n\n- [HAProxy PROXY protocol specification](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)\n- [CVE-2025-31135 / GHSA-c2c3-pqw5-5p7c: go-guerrilla repeated PROXY command source IP spoofing](https://github.com/phires/go-guerrilla/security/advisories/GHSA-c2c3-pqw5-5p7c)\n- [Puma `set_remote_address` documentation](https://github.com/puma/puma/blob/master/lib/puma/dsl.rb)",
  "id": "GHSA-2vqw-3mp8-cgmx",
  "modified": "2026-06-09T00:09:44Z",
  "published": "2026-06-09T00:09:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/puma/puma/security/advisories/GHSA-2vqw-3mp8-cgmx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/puma/puma"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2026-47737.yml"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-47737"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…