We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. Users are advised to upgrade. Nginx has a underscores_in_headers configuration variable to discard these headers at the proxy level as a mitigation. Any users that are implicitly trusting the proxy defined headers for security should immediately cease doing so until upgraded to the fixed versions.
Reserved 2024-09-02 | Published 2024-09-19 | Updated 2024-09-20 | Assigner GitHub_MCWE-639: Authorization Bypass Through User-Controlled Key
github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
nginx.org/en/docs/http/ngx_http_core_module.html
Support options