chore(deps): update dependency puma to v7 [security]#547
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #547 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 112 112
Lines 2498 2498
Branches 82 82
=========================================
Hits 2498 2498 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
'~> 6.6'→'~> 7.0'Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
CVE-2026-47736 / GHSA-qpgp-93vx-g8v8
More information
Details
Impact
PROXY protocol support for Puma was added in version 5.5.0.
When PROXY protocol v1 support is enabled, Puma reads incoming bytes into an internal buffer. It waits for "\r\n" to determine whether a PROXY v1 line is present. If an attacker opens a TCP connection and continuously sends bytes without CRLF, Puma keeps appending to this pre-parse buffer.
This can cause unbounded in-process memory growth and additional CPU cost from repeatedly scanning the growing buffer for CRLF. A single, unauthenticated TCP connection can drive significant memory growth and may cause process/container OOM or degraded availability.
Only Puma servers using the following non-default config are affected:
Patches
Users should upgrade to versions 7.2.1 or 8.0.2.
Workarounds
Resources
set_remote_addressdocumentationPROXY_PROTOCOL_V1_REGEXSeverity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections
CVE-2026-47737 / GHSA-2vqw-3mp8-cgmx
More information
Details
Impact
Puma is vulnerable to source IP spoofing when
set_remote_address proxy_protocol: :v1is enabled and persistent connections are used.PROXY protocol v1 is a connection-level protocol. Support was added to Puma in v5.5.0. A proxy sends one PROXY header at the beginning of a TCP connection, before any HTTP data. Puma incorrectly re-parsed PROXY protocol headers after each keep-alive request on the same connection. An attacker able to send HTTP requests through a trusted proxy could therefore inject a second PROXY header between HTTP requests. Puma would treat the injected header as authoritative for the next request and overwrite
REMOTE_ADDR.This can mislead applications or middleware that use
REMOTE_ADDRfor security decisions, rate limiting, auditing, or allow/deny lists.Only deployments that explicitly enable PROXY protocol v1 are affected, and will have set:
Puma's default configuration is not affected. Deployments that do not use persistent connections to Puma are also not expected to be affected by this issue.
Patches
Users should upgrade to versions 7.2.1 or 8.0.2.
Workarounds
Disable PROXY protocol v1 parsing if it is not required:
Users can also disable persistent connections to Puma, for example:
References
set_remote_addressdocumentationSeverity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
CVE-2026-47736 / GHSA-qpgp-93vx-g8v8
More information
Details
Impact
PROXY protocol support for Puma was added in version 5.5.0.
When PROXY protocol v1 support is enabled, Puma reads incoming bytes into an internal buffer. It waits for "\r\n" to determine whether a PROXY v1 line is present. If an attacker opens a TCP connection and continuously sends bytes without CRLF, Puma keeps appending to this pre-parse buffer.
This can cause unbounded in-process memory growth and additional CPU cost from repeatedly scanning the growing buffer for CRLF. A single, unauthenticated TCP connection can drive significant memory growth and may cause process/container OOM or degraded availability.
Only Puma servers using the following non-default config are affected:
Patches
Users should upgrade to versions 7.2.1 or 8.0.2.
Workarounds
Resources
set_remote_addressdocumentationPROXY_PROTOCOL_V1_REGEXSeverity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections
CVE-2026-47737 / GHSA-2vqw-3mp8-cgmx
More information
Details
Impact
Puma is vulnerable to source IP spoofing when
set_remote_address proxy_protocol: :v1is enabled and persistent connections are used.PROXY protocol v1 is a connection-level protocol. Support was added to Puma in v5.5.0. A proxy sends one PROXY header at the beginning of a TCP connection, before any HTTP data. Puma incorrectly re-parsed PROXY protocol headers after each keep-alive request on the same connection. An attacker able to send HTTP requests through a trusted proxy could therefore inject a second PROXY header between HTTP requests. Puma would treat the injected header as authoritative for the next request and overwrite
REMOTE_ADDR.This can mislead applications or middleware that use
REMOTE_ADDRfor security decisions, rate limiting, auditing, or allow/deny lists.Only deployments that explicitly enable PROXY protocol v1 are affected, and will have set:
Puma's default configuration is not affected. Deployments that do not use persistent connections to Puma are also not expected to be affected by this issue.
Patches
Users should upgrade to versions 7.2.1 or 8.0.2.
Workarounds
Disable PROXY protocol v1 parsing if it is not required:
Users can also disable persistent connections to Puma, for example:
References
set_remote_addressdocumentationSeverity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Configuration
📅 Schedule: (in timezone Europe/Paris)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.