CVE-2026-47737

描述

### Impact Puma is vulnerable to source IP spoofing when `set_remote_address proxy_protocol: :v1` is enabled and persistent connections are used. PROXY protocol v1 is a connection-level protocol. [Support was added to Puma in v5.5.0](https://github.com/puma/puma/issues/2651). A proxy sends one PROXY header at the beginning of a TCP connection, before any HTTP data. Puma incorrectly re-parsed PROXY protocol headers after each keep-alive request on the same connection. An attacker able to send HTTP requests through a trusted proxy could therefore inject a second PROXY header between HTTP requests. Puma would treat the injected header as authoritative for the next request and overwrite `REMOTE_ADDR`. This can mislead applications or middleware that use `REMOTE_ADDR` for security decisions, rate limiting, auditing, or allow/deny lists. **Only deployments that explicitly enable PROXY protocol v1 are affected**, and will have set: ```ruby set_remote_address proxy_protocol: :v1 ``` Puma's default configuration is not affected. Deployments that do not use persistent connections to Puma are also not expected to be affected by this issue. ### Patches Users should upgrade to versions 7.2.1 or 8.0.2. ### Workarounds Disable PROXY protocol v1 parsing if it is not required: ```ruby # remove/comment this: # set_remote_address proxy_protocol: :v1 ``` Users can also disable persistent connections to Puma, for example: ```ruby enable_keep_alives false ``` ### References - [HAProxy PROXY protocol specification](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) - [CVE-2025-31135 / GHSA-c2c3-pqw5-5p7c: go-guerrilla repeated PROXY command source IP spoofing](https://github.com/phires/go-guerrilla/security/advisories/GHSA-c2c3-pqw5-5p7c) - [Puma `set_remote_address` documentation](https://github.com/puma/puma/blob/master/lib/puma/dsl.rb)

如何修補 CVE-2026-47737

要修補 CVE-2026-47737,請將受影響套件升級到下列已修補版本。

• —升級至 8.0.2 或更新版本

CVE-2026-47737 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-47737 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)