🚨 [security] [ruby] Update puma 6.6.1 → 8.0.2 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ puma (6.6.1 → 8.0.2) · Repo · Changelog

Security Advisories 🚨

🚨 Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections

Impact

Puma is vulnerable to source IP spoofing when set_remote_address proxy_protocol: :v1 is enabled and persistent connections are used.

PROXY protocol v1 is a connection-level protocol. Support was added to Puma in v5.5.0. A proxy sends one PROXY header at the beginning of a TCP connection, before any HTTP data. Puma incorrectly re-parsed PROXY protocol headers after each keep-alive request on the same connection. An attacker able to send HTTP requests through a trusted proxy could therefore inject a second PROXY header between HTTP requests. Puma would treat the injected header as authoritative for the next request and overwrite REMOTE_ADDR.

This can mislead applications or middleware that use REMOTE_ADDR for security decisions, rate limiting, auditing, or allow/deny lists.

Only deployments that explicitly enable PROXY protocol v1 are affected, and will have set:

set_remote_address proxy_protocol: :v1

Puma's default configuration is not affected. Deployments that do not use persistent connections to Puma are also not expected to be affected by this issue.

Patches

Users should upgrade to versions 7.2.1 or 8.0.2.

Workarounds

Disable PROXY protocol v1 parsing if it is not required:

  # remove/comment this:
  # set_remote_address proxy_protocol: :v1

Users can also disable persistent connections to Puma, for example:

enable_keep_alives false

References

• HAProxy PROXY protocol specification
• CVE-2025-31135 / GHSA-c2c3-pqw5-5p7c: go-guerrilla repeated PROXY command source IP spoofing
• Puma set_remote_address documentation

🚨 Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections

Impact

Puma is vulnerable to source IP spoofing when set_remote_address proxy_protocol: :v1 is enabled and persistent connections are used.

PROXY protocol v1 is a connection-level protocol. Support was added to Puma in v5.5.0. A proxy sends one PROXY header at the beginning of a TCP connection, before any HTTP data. Puma incorrectly re-parsed PROXY protocol headers after each keep-alive request on the same connection. An attacker able to send HTTP requests through a trusted proxy could therefore inject a second PROXY header between HTTP requests. Puma would treat the injected header as authoritative for the next request and overwrite REMOTE_ADDR.

This can mislead applications or middleware that use REMOTE_ADDR for security decisions, rate limiting, auditing, or allow/deny lists.

Only deployments that explicitly enable PROXY protocol v1 are affected, and will have set:

set_remote_address proxy_protocol: :v1

Puma's default configuration is not affected. Deployments that do not use persistent connections to Puma are also not expected to be affected by this issue.

Patches

Users should upgrade to versions 7.2.1 or 8.0.2.

Workarounds

Disable PROXY protocol v1 parsing if it is not required:

  # remove/comment this:
  # set_remote_address proxy_protocol: :v1

Users can also disable persistent connections to Puma, for example:

enable_keep_alives false

References

• HAProxy PROXY protocol specification
• CVE-2025-31135 / GHSA-c2c3-pqw5-5p7c: go-guerrilla repeated PROXY command source IP spoofing
• Puma set_remote_address documentation

🚨 Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion

Impact

PROXY protocol support for Puma was added in version 5.5.0.

When PROXY protocol v1 support is enabled, Puma reads incoming bytes into an internal buffer. It waits for "\r\n" to determine whether a PROXY v1 line is present. If an attacker opens a TCP connection and continuously sends bytes without CRLF, Puma keeps appending to this pre-parse buffer.

This can cause unbounded in-process memory growth and additional CPU cost from repeatedly scanning the growing buffer for CRLF. A single, unauthenticated TCP connection can drive significant memory growth and may cause process/container OOM or degraded availability.

Only Puma servers using the following non-default config are affected:

   set_remote_address proxy_protocol: :v1

Patches

Users should upgrade to versions 7.2.1 or 8.0.2.

Workarounds

• Disable PROXY protocol v1 parsing if it is not required:

  # remove/comment this:
  # set_remote_address proxy_protocol: :v1

• Restrict direct network access to Puma listeners using PROXY protocol:
  • Only allow trusted load balancers/reverse proxies to connect.
  • Block arbitrary client TCP access with firewall/security group rules.

Resources

• HAProxy PROXY protocol specification
• CWE-400: Uncontrolled Resource Consumption
• CWE-770: Allocation of Resources Without Limits or Throttling
• Puma set_remote_address documentation
• Puma client PROXY protocol parsing code
• Puma constants, including PROXY_PROTOCOL_V1_REGEX

🚨 Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion

Impact

PROXY protocol support for Puma was added in version 5.5.0.

When PROXY protocol v1 support is enabled, Puma reads incoming bytes into an internal buffer. It waits for "\r\n" to determine whether a PROXY v1 line is present. If an attacker opens a TCP connection and continuously sends bytes without CRLF, Puma keeps appending to this pre-parse buffer.

This can cause unbounded in-process memory growth and additional CPU cost from repeatedly scanning the growing buffer for CRLF. A single, unauthenticated TCP connection can drive significant memory growth and may cause process/container OOM or degraded availability.

Only Puma servers using the following non-default config are affected:

   set_remote_address proxy_protocol: :v1

Patches

Users should upgrade to versions 7.2.1 or 8.0.2.

Workarounds

• Disable PROXY protocol v1 parsing if it is not required:

  # remove/comment this:
  # set_remote_address proxy_protocol: :v1

• Restrict direct network access to Puma listeners using PROXY protocol:
  • Only allow trusted load balancers/reverse proxies to connect.
  • Block arbitrary client TCP access with firewall/security group rules.

Resources

• HAProxy PROXY protocol specification
• CWE-400: Uncontrolled Resource Consumption
• CWE-770: Allocation of Resources Without Limits or Throttling
• Puma set_remote_address documentation
• Puma client PROXY protocol parsing code
• Puma constants, including PROXY_PROTOCOL_V1_REGEX

Release Notes

8.0.2

• Bugfixes
  • Anchor PROXY protocol v1 regex to string start and enforce max line length to prevent injection via crafted request bodies ([#3944])
  • Parse PROXY protocol header only on the first request per connection to prevent spoofing on keep-alive connections ([#3944])

Security advisories

• CVE-2026-47736 / GHSA-qpgp-93vx-g8v8: Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
• CVE-2026-47737 / GHSA-2vqw-3mp8-cgmx: Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections

8.0.1

• Bugfixes

  • Fix prune_bundler stripping user-configured BUNDLE_* env vars (e.g. BUNDLE_WITHOUT) on re-exec, which caused workers to crash on boot ([#3929])

• Performance

  • Use blocks for debug logging to avoid creating log messages when debug is disabled ([#3920])

• Docs

  • Fix incorrect hook names in gRPC docs ([#3923])
  • Reword v8 upgrade guide IPv6 bullet for clarity ([#3928])

8.0.0

Read our Version 8 Upgrade Guide.

• Features

  • Add env["puma.mark_as_io_bound"] API and max_io_threads config to allow IO-bound requests to exceed the thread pool max, enabling better handling of mixed workloads ([#3816], [#3894])
  • Add single and cluster DSL hooks for mode-specific configuration ([#3621])
  • Add on_force option to shutdown_debug to only dump thread backtraces on forced (non-graceful) shutdown ([#3671])
  • Add API to dynamically update min and max thread counts at runtime via update_thread_pool_min_max and ServerPluginControl ([#3658])
  • Use SIGPWR for thread backtrace dumps on Linux/JRuby where SIGINFO is unavailable ([#3829])

• Bugfixes

  • Fix phased restart for fork_worker to avoid forking from stale worker 0 when it has been replaced ([#3853])

• Performance

  • JRuby HTTP parser improvements: pre-allocated header keys, perfect hash lookup, reduced memory copies ([#3838])
  • Cache downcased header key in str_headers to avoid redundant String#downcase calls, reducing allocations by ~50% per response ([#3874])

• Refactor

  • Collect env processing into dedicated client_env.rb module ([#3582])
  • Move event to default configuration ([#3872])

• Docs

  • Add gRPC guide for configuring gRPC lifecycle hooks in clustered mode ([#3885])
  • Add 7.0 upgrade guide, move 5.0/6.0 upgrade guides to docs directory ([#3900])
  • Correct default values for persistent_timeout and worker_boot_timeout in DSL docs ([#3912])
  • Add file descriptor limit warning in test helper for contributors ([#3893])

• Breaking changes

  • Default production bind address changed from 0.0.0.0 to :: (IPv6) when a non-loopback IPv6 interface is available; falls back to 0.0.0.0 if IPv6 is unavailable ([#3847])

7.2.1

• Bugfixes
  • Limit and anchor PROXY protocol v1 parsing to prevent abuse via crafted inputs ([#3947])
  • Parse PROXY protocol only once per connection to prevent injection on keep-alive requests ([#3947])

Security advisories

• CVE-2026-47736 / GHSA-qpgp-93vx-g8v8: Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
• CVE-2026-47737 / GHSA-2vqw-3mp8-cgmx: Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections

7.2.0

7.2.0 On The Corner

• Features

  • Add workers :auto ([#3827])
  • Make it possible to restrict control server commands to stats ([#3787])

• Bugfixes

  • Don't break if WEB_CONCURRENCY is set to a blank string ([#3837])
  • Don't share server between worker 0 and descendants on refork ([#3602])
  • Fix phase check race condition in Puma::Cluster#check_workers ([#3690])
  • Fix advertising of CLI config before config files are loaded ([#3823])

• Performance

  • 17% faster HTTP parsing through pre-interning env keys ([#3825])
  • Implement dsize and dcompact functions for Puma::HttpParser, which makes Puma's C-extension GC-compactible ([#3828])

• Refactor

  • Remove NoMethodError rescue in Reactor#select_loop ([#3831])
  • Various cleanups in the C extension ([#3814])
  • Monomorphize handle_request return ([#3802])

• Docs

  • Change link to docs/deployment.md in README.md ([#3848])
  • Fix formatting for each signal description in signals.md ([#3813])
  • Update deployment and Kubernetes docs with Puma configuration tips ([#3807])
  • Rename master to main ([#3809], [#3808], [#3800])
  • Fix some minor typos in the docs ([#3804])
  • Add GOVERNANCE.md, MAINTAINERS ([#3826])
  • Remove Code Climate badge ([#3820])
  • Add @joshuay03 to the maintainer list

• CI

  • Use Minitest 6 where applicable ([#3859])
  • Many test suite improvements and flake fixes ([#3861], [#3863], [#3860], [#3852], [#3857], [#3856], [#3845], [#3843], [#3842], [#3841], [#3822], [#3817], [#3764])

New Contributors

• @moozzi made their first contribution in #3848
• @ybiquitous made their first contribution in #3813
• @jrafanie made their first contribution in #3804

Full Changelog: v7.1.0...v7.2.0

7.1.0

7.1.0 / 2025-10-16 - Neon Witch

• Features

  • Introduce after_worker_shutdown hook ([#3707])
  • Reintroduce keepalive "fast inline" behavior. Provides faster (8x on JRuby & 1.4x on Ruby) pipeline processing ([#3794])

• Bugfixes

  • Skip reading zero bytes when request body is buffered ([#3795])
  • Fix PUMA_LOG_CONFIG=1 logging twice with prune_bundler enabled ([#3778])
  • Fix prune_bundler not showing in PUMA_LOG_CONFIG=1 output ([#3779])
  • Guard ThreadPool method call, which may be nil during shutdown ([#3791], [#3790])
  • Set Thread.current.puma_server in Thread init code, not every request ([#3774])
  • Fix race condition while deleting pidfile ([#3657])

New Contributors

• @nerdrew made their first contribution in #3707
• @mopp made their first contribution in #3783
• @marksmith made their first contribution in #3657
• @Nymuxyzo made their first contribution in #3762

Full Changelog: v7.0.4...v7.1.0

7.0.4 (from changelog)

• Bugfixes

  • Fix SSL_shutdown error handling (#3703)
  • Strip whitespace from the beginnings of request header values. (#3742)

• Performance

  • puma_http11.c: Use interned UTF-8 strings for hash keys (#3754)
  • Move sleep cluster logic to its own class (#3746, #3740)

7.0.3

7.0.3 / 2025-09-13

• Performance

  • server.rb - process_client - add ka to todo if readable & complete ([#3748])

• Bugfixes

  • Convert PUMA_PERSISTENT_TIMEOUT to an Integer ([#3749])

7.0.2

What's Changed

• Fix Puma not booting if queue_requests disabled by @stanhu in #3731
• Replace sleep 0.001 while out_of_band_running with condition variable by @bensheldon in #3729
• bug: control_cli.rb - Fixup pumactl code to load puma.rb for deprecate_method_change by @MSP-Greg in #3736

New Contributors

• @bensheldon made their first contribution in #3729

Full Changelog: v7.0.1...v7.0.2

7.0.1

What's Changed

• Add backward compatibility aliases for Events class methods by @tannakartikey in #3725

Full Changelog: v7.0.0...v7.0.1

7.0.0

7.0.0

• Breaking changes
  • Set default max_keep_alive to 999 ([#3719])
  • Increase persistent_timeout default to 65 seconds ([#3378])
  • Raise an ArgumentError if no block given to hooks ([#3377])
  • Don't set env['HTTP_VERSION'] for Rack > 3.1 ([#3711], [#3576])
  • Runner.rb - remove ruby_engine method, deprecated Nov-2024 ([#3701])
  • Set conditional config defaults after CLI options are parsed and config files are loaded ([#3297])
  • Response headers set to lowercase ([#3704])
  • Update minimum Ruby version to 3.0 ([#3698])
  • Rename callback hooks ([#3438])

Old hook name	New hook name
on_worker_boot	before_worker_boot
on_worker_shutdown	before_worker_shutdown
on_restart	before_restart
on_booted	after_booted
on_stopped	after_stopped
on_refork	before_refork
on_thread_start	before_thread_start
on_thread_exit	before_thread_exit
on_worker_fork	before_worker_fork

• Features

  • Fix long tail response problem with keepalive connections ([#3678]) (Previously released in 7.0.0.pre1, this was a high effort change)
  • Introduce support for fiber-per-request. ([#3101])
  • Add support for rack.response_finished ([#3681])
  • Feature/support custom logger with request logs ([#3140])

• Bugfixes

  • Fixes a bug where triggering hooks in the ThreadPool fails ([#3716])
  • Fix error_logger inproperly logging env[QUERY_STRING] ([#3713], [#3625])
  • Fix handling of invalid Transfer-Encoding header errors ([#3702])
  • Fix socket leak on monitor wakeup NoMethodError in Reactor#select_loop ([#3696], [#3695])
  • CI: puma_socket.rb fixup socket/request writes ([#3684])
  • Warn when RUBY_MN_THREADS env var is set ([#3721])
  • Improve the DSL preload_app! doc ([#3712])
  • Fix the ability to focus individual tests ([#3705])
  • Set env['rack.hijack'] to client.method(:full_hijack) ([#3073])

• Performance

  • server.rb - initialize ivars @reactor and @env_set_http_version ([#3714])

• Refactor

  • Simplify Puma::DSL#process_hook logic ([#3710])
  • Dry up deprecation warnings and fix deprecation warnings when running CI. ([#3709], [#3708])
  • Ensure and enforce that configs are loaded before options are accessed ([#3616])

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ bundler-audit (0.9.2 → 0.9.3) · Repo · Changelog

Release Notes

0.9.3

• Officially support Ruby 3.4, 3.5, and 4.0.
• Added support for Bundler 4.x.
• Fixed typos in API documentation.

CLI

• Ensure that the bundler-audit check command honors the BUNDLER_AUDIT_DB environment variable.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 16 commits:

• Updated the ChangeLog for 0.9.3.
• Version bump to 0.9.3.
• Added Ruby 4.0 to the CI matrix.
• Added Ruby 3.5 to the CI matrix.
• Require rubygems-tasks ~> 0.3 for Ruby 3.5 and 4.0.
• Allow using bundler 4.x
• Remove syntax highlighting from example output.
• Be consistent and only use markdown code fences.
• Fixed typo in `@return` tag.
• Update RubyGems in GitHub Actions CI (#406)
• Added Ruby 3.4 to the GitHub CI matrix.
• Disable new rubocops.
• Default `check --database` to `Database::DEFAULT_PATH`.
• Switched to using `Database::DEFAULT_PATH` instead of `Database.path`.
• Disable the `Gemspec/RequireMFA` rule since it's not aware of `gemspec.yml`.
• Added gem metadata and corrected links in gemspec.yml

↗️ nio4r (indirect, 2.7.4 → 2.7.5) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

• Bump patch version.
• Remove `tea.yaml`.
• Fix for `OpenSSL::SSL::SSLContext` `set_minmax_proto_version` removal. (#327)
• Update releases.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)