CVE-2024-45614 – This vulnerability in Puma web server allows cl... (How to Fix)

Q: What is the severity of CVE-2024-45614?

CVE-2024-45614 has a CVSS score of 5.4 (MEDIUM). This vulnerability in Puma web server allows clients to override proxy-set headers like X-Forwarded-For by sending underscore versions (X-Forwarded_For). This affects any users relying on proxy headers for security decisions or logging. The issue enables potential IP spoofing and bypass of proxy-based security controls.

📋 TL;DR

This vulnerability in Puma web server allows clients to override proxy-set headers like X-Forwarded-For by sending underscore versions (X-Forwarded_For). This affects any users relying on proxy headers for security decisions or logging. The issue enables potential IP spoofing and bypass of proxy-based security controls.

💻 Affected Systems

Products:

Puma

Versions: All versions before v6.4.3 and v5.6.9

Operating Systems: All operating systems running Puma

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using reverse proxies that set headers like X-Forwarded-For. Standalone Puma servers without proxies are not affected.

📦 What is this software?

Puma by Puma

View all CVEs affecting Puma →

Puma by Puma

View all CVEs affecting Puma →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could spoof IP addresses to bypass IP-based access controls, hide their true origin in logs, or impersonate trusted systems behind proxies.

🟠

Likely Case

IP address spoofing leading to inaccurate logging, potential bypass of simple IP-based rate limiting, and confusion in forensic investigations.

🟢

If Mitigated

With proper header validation and proxy configuration, impact is limited to potential logging inaccuracies without security bypass.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted HTTP headers. No authentication needed if service is accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v6.4.3 or v5.6.9

Vendor Advisory: https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4

Restart Required: Yes

Instructions:

1. Update Puma gem: 'gem update puma' or update Gemfile to 'puma >= 6.4.3' or 'puma >= 5.6.9'. 2. Restart the Puma server process. 3. Verify the version with 'puma -v'.

🔧 Temporary Workarounds

Configure Nginx to discard underscore headers

linux

Set Nginx to ignore headers with underscores before they reach Puma

underscores_in_headers off;

Implement custom middleware header validation

all

Add Rack middleware to reject or normalize underscore headers

🧯 If You Can't Patch

Configure upstream proxies (Nginx, Apache) to strip or reject underscore headers before they reach Puma
Implement application-level validation of proxy headers and reject requests with conflicting underscore versions

🔍 How to Verify

Check if Vulnerable:

Check Puma version: if below 6.4.3 (for Puma 6) or below 5.6.9 (for Puma 5), you are vulnerable if using proxy headers.

Check Version:

puma -v

Verify Fix Applied:

After upgrade, test by sending both X-Forwarded-For and X-Forwarded_For headers - only the proxy-set version should be accepted.

📡 Detection & Monitoring

Log Indicators:

Multiple IP addresses in X-Forwarded-For headers
Requests with underscore versions of proxy headers (X-Forwarded_For)

Network Indicators:

HTTP requests containing both standard and underscore versions of proxy headers

SIEM Query:

http.headers:*Forwarded_For OR http.headers:*_* AND http.headers:X-Forwarded-For

📊 Metadata

CVE ID: CVE-2024-45614

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-639

Published: September 19, 2024

Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45614, you might also want to check these: