CVE-2026-47737 in Puma
Summary
by MITRE • 07/14/2026
Puma is a Ruby/Rack web server built for parallelism. From 5.5.0 until 7.2.1 and 8.0.2, Puma is vulnerable to source IP spoofing when set_remote_address proxy_protocol: :v1 is enabled and persistent connections are used because Puma incorrectly re-parses PROXY protocol headers after each keep-alive request on the same connection, allowing an attacker to inject a second PROXY header and overwrite REMOTE_ADDR. This issue is fixed in versions 7.2.1 and 8.0.2.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
Puma web server versions between 5.5.0 and 7.2.1 as well as 8.0.0 through 8.0.1 contain a critical source IP spoofing vulnerability that arises from improper handling of PROXY protocol headers in conjunction with persistent connections. This vulnerability specifically affects configurations where the set_remote_address option is enabled with proxy_protocol: :v1 parameter, creating a dangerous attack surface when persistent HTTP connections are utilized. The flaw stems from Puma's incorrect re-parsing behavior of PROXY protocol headers after each keep-alive request on the same connection, which allows malicious actors to inject additional PROXY headers and manipulate the REMOTE_ADDR value that applications use to determine client source IP addresses.
The technical implementation of this vulnerability occurs at the connection management layer where Puma fails to properly validate or sanitize PROXY protocol header data during subsequent requests on persistent connections. When a client establishes a persistent connection with Puma and sends multiple requests using keep-alive, the server incorrectly processes each request's PROXY headers without proper validation mechanisms that would prevent header injection attacks. This behavior creates an opportunity for attackers to craft malicious PROXY protocol headers that can overwrite the legitimate REMOTE_ADDR value, effectively allowing them to spoof source IP addresses and bypass network-level security controls.
The operational impact of this vulnerability extends beyond simple IP address spoofing, as it can enable various attack vectors including access control bypass, rate limiting circumvention, and session hijacking. Applications relying on Puma's REMOTE_ADDR for security decisions may be tricked into treating malicious requests as legitimate ones from trusted source IPs, potentially leading to unauthorized access to protected resources. Network administrators who depend on source IP tracking for monitoring, logging, or firewall rule enforcement face significant challenges as this vulnerability undermines the integrity of IP-based security measures. The vulnerability is particularly concerning in environments where Puma serves as a reverse proxy or load balancer component, as it can compromise the entire security chain that relies on accurate source IP identification.
This vulnerability maps directly to CWE-284 Access Control Bypass and aligns with ATT&CK techniques involving spoofing and credential manipulation. The issue represents a failure in input validation and header processing within Puma's connection handling code, specifically affecting the application layer where network security decisions are made based on client IP addresses. Organizations using Puma in production environments should immediately upgrade to version 7.2.1 or 8.0.2 to resolve this vulnerability, as these releases include proper validation mechanisms that prevent header injection attacks during persistent connection handling. Security teams should also review their monitoring systems to detect potential exploitation attempts and consider implementing additional network-level controls to mitigate the risk while awaiting patch deployment.
The fix implemented in affected versions addresses the core issue by ensuring that PROXY protocol headers are properly validated and only processed once per connection, preventing subsequent requests from overwriting or injecting malicious header data. This approach aligns with security best practices for handling persistent connections and maintaining the integrity of network metadata throughout connection lifecycles. Organizations should conduct thorough testing of their Puma configurations to ensure that the patch does not introduce compatibility issues with existing proxy protocol implementations while verifying that source IP tracking continues to function correctly across all application components that depend on accurate client identification.