-
-
Notifications
You must be signed in to change notification settings - Fork 236
Expand file tree
/
Copy pathCVE-2026-47737.yml
More file actions
67 lines (56 loc) · 2.46 KB
/
Copy pathCVE-2026-47737.yml
File metadata and controls
67 lines (56 loc) · 2.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
---
gem: puma
cve: 2026-47737
ghsa: 2vqw-3mp8-cgmx
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-47737
title: Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on
Persistent Connections
date: 2026-05-27
description: |
## Impact
Puma is vulnerable to source IP spoofing when set_remote_address
proxy_protocol: :v1 is enabled and persistent connections are used.
PROXY protocol v1 is a connection-level protocol. Support was added
to Puma in v5.5.0. A proxy sends one PROXY header at the beginning
of a TCP connection, before any HTTP data. Puma incorrectly re-parsed
PROXY protocol headers after each keep-alive request on the same
connection. An attacker able to send HTTP requests through a trusted
proxy could therefore inject a second PROXY header between HTTP
requests. Puma would treat the injected header as authoritative for
the next request and overwrite REMOTE_ADDR.
This can mislead applications or middleware that use REMOTE_ADDR for
security decisions, rate limiting, auditing, or allow/deny lists.
Only deployments that explicitly enable PROXY protocol v1 are affected,
and will have set:
set_remote_address proxy_protocol: :v1
Puma's default configuration is not affected. Deployments that do
not use persistent connections to Puma are also not expected to
be affected by this issue.
## Workarounds
* Disable PROXY protocol v1 parsing if it is not required:
# remove/comment this:
# set_remote_address proxy_protocol: :v1
Users can also disable persistent connections to Puma, for example:
enable_keep_alives false
cvss_v3: 7.5
unaffected_versions:
- "< 5.5.0"
patched_versions:
- "~> 7.2.1"
- ">= 8.0.2"
related:
url:
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-47737
- https://rubygems.org/gems/puma/versions/8.0.2
- https://github.com/puma/puma/blob/main/History.md#802--2026-05-27
- https://github.com/puma/puma/blob/main/History.md#721--2026-05-27
- https://github.com/puma/puma/releases/tag/v8.0.2
- https://github.com/puma/puma/releases/tag/v7.2.1
- https://github.com/puma/puma/pull/2654
- https://github.com/phires/go-guerrilla/security/advisories/GHSA-c2c3-pqw5-5p7c
- https://github.com/puma/puma/issues/2651
- https://rubyweekly.com/issues/803
- https://github.com/puma/puma/security/advisories/GHSA-2vqw-3mp8-cgmx
notes: |
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-47737 (reserved)
- No nvd cvss values