{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "5.5.0"
              },
              {
                "fixed": "7.2.1"
              },
              {
                "introduced": "8.0.0"
              },
              {
                "fixed": "8.0.2"
              }
            ],
            "source": [
              "AFFECTED_FIELD",
              "REFERENCES"
            ]
          },
          "events": [
            {
              "introduced": "21e0443cca4a53c8f0f97fe5197423031cab3610"
            },
            {
              "introduced": "fcf3173a2eed8d350377891008a41630d976f3d9"
            },
            {
              "fixed": "92754ace040db67622f0e6406dea0b47c94d0139"
            },
            {
              "fixed": "8085b75e79e3f7f1a96e5b488d74a71f62edd24d"
            },
            {
              "fixed": "439c6136d9c2275721b7864db3ee78af7c80889f"
            },
            {
              "fixed": "ebe9db3929ab8299d19c8f5b41e8ef4f4b22fa58"
            }
          ],
          "repo": "https://github.com/puma/puma",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-2vqw-3mp8-cgmx"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-290",
      "CWE-345"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47737.json"
  },
  "details": "Puma is a Ruby/Rack web server built for parallelism. From 5.5.0 until 7.2.1 and 8.0.2, Puma is vulnerable to source IP spoofing when set_remote_address proxy_protocol: :v1 is enabled and persistent connections are used because Puma incorrectly re-parses PROXY protocol headers after each keep-alive request on the same connection, allowing an attacker to inject a second PROXY header and overwrite REMOTE_ADDR. This issue is fixed in versions 7.2.1 and 8.0.2.",
  "id": "CVE-2026-47737",
  "modified": "2026-07-17T03:41:51.831728544Z",
  "published": "2026-07-14T19:45:16.648Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/puma/puma/releases/tag/v7.2.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/puma/puma/releases/tag/v8.0.2"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47737.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/puma/puma/security/advisories/GHSA-2vqw-3mp8-cgmx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47737"
    },
    {
      "type": "FIX",
      "url": "https://github.com/puma/puma/commit/439c6136d9c2275721b7864db3ee78af7c80889f"
    },
    {
      "type": "FIX",
      "url": "https://github.com/puma/puma/commit/ebe9db3929ab8299d19c8f5b41e8ef4f4b22fa58"
    },
    {
      "type": "FIX",
      "url": "https://github.com/puma/puma/pull/3944"
    },
    {
      "type": "FIX",
      "url": "https://github.com/puma/puma/pull/3947"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections"
}