<Vulnerability name="CVE-2026-47737">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-14T19:45:16</PublicDate>
    <Bugzilla id="2500584" url="https://bugzilla.redhat.com/show_bug.cgi?id=2500584" xml:lang="en:us">
puma: Puma: Source IP spoofing via PROXY protocol header re-parsing
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>7.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-358</CWE>
    <Details xml:lang="en:us" source="Mitre">
Puma is a Ruby/Rack web server built for parallelism. From 5.5.0 until 7.2.1 and 8.0.2, Puma is vulnerable to source IP spoofing when set_remote_address proxy_protocol: :v1 is enabled and persistent connections are used because Puma incorrectly re-parses PROXY protocol headers after each keep-alive request on the same connection, allowing an attacker to inject a second PROXY header and overwrite REMOTE_ADDR. This issue is fixed in versions 7.2.1 and 8.0.2.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Puma, a Ruby/Rack web server. When `set_remote_address proxy_protocol: :v1` is enabled and persistent connections are used, Puma incorrectly re-parses PROXY protocol headers after each keep-alive request on the same connection. This allows a remote attacker to inject a second PROXY header, leading to source IP (Internet Protocol) spoofing and potentially impacting security logging or access control decisions.
    </Details>
    <Statement xml:lang="en:us">
This flaw only affects Puma deployments that explicitly enable `set_remote_address proxy_protocol: :v1` together with persistent (keep-alive) connections to the proxy. This is not Puma default configuration.
    </Statement>
    <Mitigation xml:lang="en:us">
Upgrade puma to 7.2.1 or 8.0.2 (or later). If an immediate upgrade is not possible, remove the `set_remote_address proxy_protocol: :v1` configuration, or disable persistent connections (`enable_keep_alives false`), to prevent PROXY protocol v1 header re-parsing on the same connection.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:red_hat_3scale_amp:2">
        <ProductName>Red Hat 3scale API Management Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>3scale-amp21/backend</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_3scale_amp:2">
        <ProductName>Red Hat 3scale API Management Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>3scale-amp21/zync</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_3scale_amp:2">
        <ProductName>Red Hat 3scale API Management Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>3scale-amp22/backend</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_3scale_amp:2">
        <ProductName>Red Hat 3scale API Management Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>3scale-amp22/zync</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_3scale_amp:2">
        <ProductName>Red Hat 3scale API Management Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>3scale-amp2/backend-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_3scale_amp:2">
        <ProductName>Red Hat 3scale API Management Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>3scale-amp2/zync-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:red_hat_3scale_amp:2">
        <ProductName>Red Hat 3scale API Management Platform 2</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>3scale-amp2/zync-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>pcs</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>pcs</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>pcs</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:satellite:6">
        <ProductName>Red Hat Satellite 6</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>rubygem-puma</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:satellite:6">
        <ProductName>Red Hat Satellite 6</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>satellite:el8/rubygem-puma</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-47737
https://nvd.nist.gov/vuln/detail/CVE-2026-47737
https://github.com/puma/puma/commit/439c6136d9c2275721b7864db3ee78af7c80889f
https://github.com/puma/puma/commit/ebe9db3929ab8299d19c8f5b41e8ef4f4b22fa58
https://github.com/puma/puma/pull/3944
https://github.com/puma/puma/pull/3947
https://github.com/puma/puma/releases/tag/v7.2.1
https://github.com/puma/puma/releases/tag/v8.0.2
https://github.com/puma/puma/security/advisories/GHSA-2vqw-3mp8-cgmx
    </References>
</Vulnerability>