← Back to CVE List
CVE-2026-47737NVD
Vulnerability Summary
### Impact
Puma is vulnerable to source IP spoofing when `set_remote_address proxy_protocol: :v1` is enabled and persistent connections are used.
PROXY protocol v1 is a connection-level protocol. [Support was added to Puma in v5.5.0](https://github.com/puma/puma/issues/2651). A proxy sends one PROXY header at the beginning of a TCP connection, before any HTTP data. Puma incorrectly re-parsed PROXY protocol headers after each keep-alive request on the same connection. An attacker able to send HTTP requests through a trusted proxy could therefore inject a second PROXY header between HTTP requests. Puma would treat the injected header as authoritative for the next request and overwrite `REMOTE_ADDR`.
This can mislead applications or middleware that use `REMOTE_ADDR` for security decisions, rate limiting, auditing, or allow/deny lists.
**Only deployments that explicitly enable PROXY protocol v1 are affected**, and will have set:
```ruby
set_remote_address proxy_protocol: :v1
```
Puma's default configuration is not affected. Deployments that do not use persistent connections to Puma are also not expected to be affected by this issue.
### Patches
Users should upgrade to versions 7.2.1 or 8.0.2.
### Workarounds
Disable PROXY protocol v1 parsing if it is not required:
```ruby
# remove/comment this:
# set_remote_address proxy_protocol: :v1
```
Users can also disable persistent connections to Puma, for example:
```ruby
enable_keep_alives false
```
### References
- [HAProxy PROXY protocol specification](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
- [CVE-2025-31135 / GHSA-c2c3-pqw5-5p7c: go-guerrilla repeated PROXY command source IP spoofing](https://github.com/phires/go-guerrilla/security/advisories/GHSA-c2c3-pqw5-5p7c)
- [Puma `set_remote_address` documentation](https://github.com/puma/puma/blob/master/lib/puma/dsl.rb)
Puma is vulnerable to source IP spoofing when `set_remote_address proxy_protocol: :v1` is enabled and persistent connections are used.
PROXY protocol v1 is a connection-level protocol. [Support was added to Puma in v5.5.0](https://github.com/puma/puma/issues/2651). A proxy sends one PROXY header at the beginning of a TCP connection, before any HTTP data. Puma incorrectly re-parsed PROXY protocol headers after each keep-alive request on the same connection. An attacker able to send HTTP requests through a trusted proxy could therefore inject a second PROXY header between HTTP requests. Puma would treat the injected header as authoritative for the next request and overwrite `REMOTE_ADDR`.
This can mislead applications or middleware that use `REMOTE_ADDR` for security decisions, rate limiting, auditing, or allow/deny lists.
**Only deployments that explicitly enable PROXY protocol v1 are affected**, and will have set:
```ruby
set_remote_address proxy_protocol: :v1
```
Puma's default configuration is not affected. Deployments that do not use persistent connections to Puma are also not expected to be affected by this issue.
### Patches
Users should upgrade to versions 7.2.1 or 8.0.2.
### Workarounds
Disable PROXY protocol v1 parsing if it is not required:
```ruby
# remove/comment this:
# set_remote_address proxy_protocol: :v1
```
Users can also disable persistent connections to Puma, for example:
```ruby
enable_keep_alives false
```
### References
- [HAProxy PROXY protocol specification](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
- [CVE-2025-31135 / GHSA-c2c3-pqw5-5p7c: go-guerrilla repeated PROXY command source IP spoofing](https://github.com/phires/go-guerrilla/security/advisories/GHSA-c2c3-pqw5-5p7c)
- [Puma `set_remote_address` documentation](https://github.com/puma/puma/blob/master/lib/puma/dsl.rb)
CVSS v3.1 Base Metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
ConfidentialityNone
IntegrityHigh
AvailabilityNone