Source IP Spoofing Vulnerability in Puma Web Server by Puma
CVE-2026-47737
7.5HIGH
What is CVE-2026-47737?
The Puma web server, designed for parallelism in Ruby/Rack applications, is susceptible to a source IP spoofing vulnerability when the 'set_remote_address' proxy protocol is enabled. This issue arises when persistent connections are used; the server incorrectly re-parses PROXY protocol headers on subsequent keep-alive requests. Consequently, an attacker can inject an additional PROXY header, which allows them to alter the REMOTE_ADDR value. The vulnerability is addressed in Puma versions 7.2.1 and 8.0.2, emphasizing the importance of upgrading to secure versions.
Affected Version(s)
puma >= 5.5.0, < 7.2.1 < 5.5.0, 7.2.1
puma >= 8.0.0, < 8.0.2 < 8.0.0, 8.0.2
