puma/puma v8.0.2

on GitHub

• Bugfixes
  • Anchor PROXY protocol v1 regex to string start and enforce max line length to prevent injection via crafted request bodies ([#3944])
  • Parse PROXY protocol header only on the first request per connection to prevent spoofing on keep-alive connections ([#3944])

Security advisories

• CVE-2026-47736 / GHSA-qpgp-93vx-g8v8: Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
• CVE-2026-47737 / GHSA-2vqw-3mp8-cgmx: Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections