Internet Explorer is no longer supported. Many things will still work, but your experience will be degraded and some things won't function. Please use a modern browser such as Edge, Chrome, or Firefox.
Inedo Security Labs

PGV-2642401 - Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections

Disclosed on June 09, 2026 (updated June 09, 2026)

Vulnerability Overview

PGV-2642401 is a category 3 vulnerabilty that affects puma, versions ≥ 8.0.0 & < 8.0.2, ≥ 5.5.0 & < 7.2.1

CVSS Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Risk Assessment

customize

The risk assessment shows that this vulnerability is exlpoited by a external attacker. An unauthorized external actor who attempts to exploit this vulnerability without legitimate access.

The impact is contained to the application. Exploitation remains confined to the application and cannot affect the host environment or external systems.

The threat damage is caused by data tampering. Exploitation can result in modification of any data (authorized or not) within the system.

Vulnerability Details

Impact

Puma is vulnerable to source IP spoofing when set_remote_address proxy_protocol: :v1 is enabled and persistent connections are used.

PROXY protocol v1 is a connection-level protocol. Support was added to Puma in v5.5.0. A proxy sends one PROXY header at the beginning of a TCP connection, before any HTTP data. Puma incorrectly re-parsed PROXY protocol headers after each keep-alive request on the same connection. An attacker able to send HTTP requests through a trusted proxy could therefore inject a second PROXY header between HTTP requests. Puma would treat the injected header as authoritative for the next request and overwrite REMOTE_ADDR.

This can mislead applications or middleware that use REMOTE_ADDR for security decisions, rate limiting, auditing, or allow/deny lists.

Only deployments that explicitly enable PROXY protocol v1 are affected, and will have set:

set_remote_address proxy_protocol: :v1

Puma's default configuration is not affected. Deployments that do not use persistent connections to Puma are also not expected to be affected by this issue.

Patches

Users should upgrade to versions 7.2.1 or 8.0.2.

Workarounds

Disable PROXY protocol v1 parsing if it is not required:

  # remove/comment this:
  # set_remote_address proxy_protocol: :v1

Users can also disable persistent connections to Puma, for example:

enable_keep_alives false

References

Common Weakness Enumerations

  • CWE-290 - Authentication Bypass by Spoofing
  • CWE-345 - Insufficient Verification of Data Authenticity

Additional References

Your Risk Profile
Network Exposure
External
Accessable from the public internet
Access Interface
WebBrowser
Primarily web-based applications
Service Outage
Disruptive
Operations would be impacted
Data Breach
Disruptive
Operations would be impacted
Data Tampering
Disruptive
Operations would be impacted
Customize
Additional Identifiers
  • CVE-2026-47737
  • GHSA-2vqw-3mp8-cgmx

v2.0.5 © 2026 Inedo, LLC