Impact

Puma is vulnerable to source IP spoofing when set_remote_address proxy_protocol: :v1 is enabled and persistent connections are used.

PROXY protocol v1 is a connection-level protocol. Support was added to Puma in v5.5.0. A proxy sends one PROXY header at the beginning of a TCP connection, before any HTTP data. Puma incorrectly re-parsed PROXY protocol headers after each keep-alive request on the same connection. An attacker able to send HTTP requests through a trusted proxy could therefore inject a second PROXY header between HTTP requests. Puma would treat the injected header as authoritative for the next request and overwrite REMOTE_ADDR.

This can mislead applications or middleware that use REMOTE_ADDR for security decisions, rate limiting, auditing, or allow/deny lists.

Only deployments that explicitly enable PROXY protocol v1 are affected, and will have set:

set_remote_address proxy_protocol: :v1

Puma's default configuration is not affected. Deployments that do not use persistent connections to Puma are also not expected to be affected by this issue.

Workarounds

• Disable PROXY protocol v1 parsing if it is not required:

  remove/comment this:

  set_remote_address proxy_protocol: :v1

Users can also disable persistent connections to Puma, for example:

enable_keep_alives false