Source IP Spoofing Vulnerability in Puma Web Server by Puma
CVE-2026-47737

7.5HIGH

Key Information:

Vendor

Puma

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-47737?

The Puma web server, designed for parallelism in Ruby/Rack applications, is susceptible to a source IP spoofing vulnerability when the 'set_remote_address' proxy protocol is enabled. This issue arises when persistent connections are used; the server incorrectly re-parses PROXY protocol headers on subsequent keep-alive requests. Consequently, an attacker can inject an additional PROXY header, which allows them to alter the REMOTE_ADDR value. The vulnerability is addressed in Puma versions 7.2.1 and 8.0.2, emphasizing the importance of upgrading to secure versions.

Affected Version(s)

puma >= 5.5.0, < 7.2.1 < 5.5.0, 7.2.1

puma >= 8.0.0, < 8.0.2 < 8.0.0, 8.0.2

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.