CWE-178
AllowedImproper Handling of Case Sensitivity
Abstraction: Base · Status: Incomplete
The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
136 vulnerabilities reference this CWE, most recent first.
GHSA-8FFW-58MQ-48W9
Vulnerability from github – Published: 2022-04-29 01:26 – Updated: 2024-02-02 03:30Sun ONE Application Server 7.0 for Windows 2000/XP allows remote attackers to obtain JSP source code via a request that uses the uppercase ".JSP" extension instead of the lowercase .jsp extension.
{
"affected": [],
"aliases": [
"CVE-2003-0411"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2003-06-30T04:00:00Z",
"severity": "MODERATE"
},
"details": "Sun ONE Application Server 7.0 for Windows 2000/XP allows remote attackers to obtain JSP source code via a request that uses the uppercase \".JSP\" extension instead of the lowercase .jsp extension.",
"id": "GHSA-8ffw-58mq-48w9",
"modified": "2024-02-02T03:30:30Z",
"published": "2022-04-29T01:26:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0411"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=105409846029475\u0026w=2"
},
{
"type": "WEB",
"url": "http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F55221\u0026zone_32=category%3Asecurity"
},
{
"type": "WEB",
"url": "http://sunsolve.sun.com/search/document.do?assetkey=1-77-1000610.1-1"
},
{
"type": "WEB",
"url": "http://www.ciac.org/ciac/bulletins/n-103.shtml"
},
{
"type": "WEB",
"url": "http://www.iss.net/security_center/static/12093.php"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/7709"
},
{
"type": "WEB",
"url": "http://www.spidynamics.com/sunone_alert.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-92MV-8F8W-WQ52
Vulnerability from github – Published: 2026-03-04 21:19 – Updated: 2026-03-05 22:37Impact
There is a potential vulnerability in Traefik managing the Connection header with X-Forwarded headers.
When Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed X-Forwarded headers (such as X-Real-Ip, X-Forwarded-Host, X-Forwarded-Port, etc.) via the Connection header does not handle case sensitivity correctly. The Connection tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase Connection tokens (e.g. Connection: x-real-ip) to bypass the protection and trigger the removal of Traefik-managed forwarded identity headers.
This is a bypass of the fix for CVE-2024-45410.
Depending on the deployment, the impact may be higher if downstream services rely on these headers (such as X-Real-Ip or X-Forwarded-*) for authentication, authorization, routing, or scheme decisions.
Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.38
- https://github.com/traefik/traefik/releases/tag/v3.6.9
Workarounds
No workaround available.
For more information
If there are any questions or comments about this advisory, please open an issue.
Original Description Traefik's XForwarded middleware (removeConnectionHeaders) tries to prevent clients from using the Connection header to strip trusted X-Forwarded-* headers, but the protection compares the Connection tokens case-sensitively while the deletion is case-insensitive. As a result, a remote unauthenticated client can send a lowercase token like Connection: x-real-ip and still trigger deletion of traefik-managed X-Real-Ip (and similarly named headers in the managed list). This can cause downstream routing, scheme, and header-based authn/authz decisions to be evaluated with missing trusted forwarding identity headers. ### Severity CRITICAL Rationale: the PoC demonstrates an end-to-end access control bypass pattern when a downstream service uses proxy-provided identity headers (for example, X-Real-Ip) for IP allowlists or trust decisions. A remote unauthenticated client can strip the traefik-managed identity header via a lowercase Connection token, causing the downstream service to evaluate the request without the expected header signal. ### Relevant Links - Repository: https://github.com/traefik/traefik - Pinned commit: a4a91344edcdd6276c1b766ca19ee3f0e346480f - Callsite (pinned): https://github.com/traefik/traefik/blob/a4a91344edcdd6276c1b766ca19ee3f0e346480f/pkg/middlewares/forwardedheaders/forwarded_header.go#L225 ### Vulnerability Details #### Root Cause removeConnectionHeaders uses a case-sensitive membership check for protected header names when inspecting Connection tokens, but it deletes headers via net/http which treats header names case-insensitively. A lowercase token bypasses the protection check and still triggers deletion. #### Attacker Control / Attack Path Remote unauthenticated HTTP client (untrusted IP) sends Connection: x-real-ip, and Traefik deletes the generated X-Real-Ip header. ### Proof of Concept The attached poc.zip contains a deterministic, make-based integration PoC with a canonical run and a negative control. Canonical (vulnerable): unzip poc.zip -d poc cd poc make test Output contains: [CALLSITE_HIT]: pkg/middlewares/forwardedheaders/forwarded_header.go:225 [PROOF_MARKER]: downstream_admin_bypass=1 x_real_ip_present=0 Control (same env, no lowercase token): unzip poc.zip -d poc cd poc make test Output contains: [CALLSITE_HIT]: pkg/middlewares/forwardedheaders/forwarded_header.go:225 [NC_MARKER]: downstream_admin_bypass=0 x_real_ip_present=1 Expected: Connection tokens are handled case-insensitively and protected identity headers (for example, X-Real-Ip and X-Forwarded-*) are not deleted due to client-supplied Connection options (regardless of token casing). Actual: Lowercase Connection tokens bypass the protection check and still trigger deletion of traefik-managed identity headers (for example, X-Real-Ip). ### Recommended Fix - Case-fold (or otherwise canonicalize) Connection header tokens before comparing them against protected header names. - Add a regression test covering lowercase tokens (for example, Connection: x-real-ip). Fix accepted when: a request with Connection: x-real-ip does not cause deletion of traefik-managed X-Real-Ip, and a regression test covers this behavior.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.11.37"
},
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.11.9"
},
{
"fixed": "2.11.38"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.6.8"
},
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.3"
},
{
"fixed": "3.6.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-29054"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-04T21:19:08Z",
"nvd_published_at": "2026-03-05T19:16:15Z",
"severity": "HIGH"
},
"details": "## Impact\n\nThere is a potential vulnerability in Traefik managing the `Connection` header with `X-Forwarded` headers.\n\nWhen Traefik processes HTTP/1.1 requests, the protection put in place to prevent the removal of Traefik-managed `X-Forwarded` headers (such as `X-Real-Ip`, `X-Forwarded-Host`, `X-Forwarded-Port`, etc.) via the `Connection` header does not handle case sensitivity correctly. The `Connection` tokens are compared case-sensitively against the protected header names, but the actual header deletion operates case-insensitively. As a result, a remote unauthenticated client can use lowercase `Connection` tokens (e.g. `Connection: x-real-ip`) to bypass the protection and trigger the removal of Traefik-managed forwarded identity headers.\n\nThis is a bypass of the fix for [CVE-2024-45410](https://github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv).\n\nDepending on the deployment, the impact may be higher if downstream services rely on these headers (such as `X-Real-Ip` or `X-Forwarded-*`) for authentication, authorization, routing, or scheme decisions.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.38\n- https://github.com/traefik/traefik/releases/tag/v3.6.9\n\n## Workarounds\n\nNo workaround available.\n\n## For more information\n\nIf there are any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n\nTraefik\u0027s XForwarded middleware (removeConnectionHeaders) tries to prevent clients from using the Connection header to strip trusted X-Forwarded-* headers, but the protection compares the Connection tokens case-sensitively while the deletion is case-insensitive.\n\nAs a result, a remote unauthenticated client can send a lowercase token like Connection: x-real-ip and still trigger deletion of traefik-managed X-Real-Ip (and similarly named headers in the managed list).\n\nThis can cause downstream routing, scheme, and header-based authn/authz decisions to be evaluated with missing trusted forwarding identity headers.\n\n### Severity\n\nCRITICAL\n\nRationale: the PoC demonstrates an end-to-end access control bypass pattern when a downstream service uses proxy-provided identity headers (for example, X-Real-Ip) for IP allowlists or trust decisions. A remote unauthenticated client can strip the traefik-managed identity header via a lowercase Connection token, causing the downstream service to evaluate the request without the expected header signal.\n\n### Relevant Links\n\n- Repository: https://github.com/traefik/traefik\n- Pinned commit: a4a91344edcdd6276c1b766ca19ee3f0e346480f\n- Callsite (pinned): https://github.com/traefik/traefik/blob/a4a91344edcdd6276c1b766ca19ee3f0e346480f/pkg/middlewares/forwardedheaders/forwarded_header.go#L225\n\n### Vulnerability Details\n\n#### Root Cause\n\nremoveConnectionHeaders uses a case-sensitive membership check for protected header names when inspecting Connection tokens, but it deletes headers via net/http which treats header names case-insensitively. A lowercase token bypasses the protection check and still triggers deletion.\n\n#### Attacker Control / Attack Path\n\nRemote unauthenticated HTTP client (untrusted IP) sends Connection: x-real-ip, and Traefik deletes the generated X-Real-Ip header.\n\n### Proof of Concept\n\nThe attached poc.zip contains a deterministic, make-based integration PoC with a canonical run and a negative control.\n\nCanonical (vulnerable):\n\n unzip poc.zip -d poc\n cd poc\n make test\n\nOutput contains:\n\n [CALLSITE_HIT]: pkg/middlewares/forwardedheaders/forwarded_header.go:225\n [PROOF_MARKER]: downstream_admin_bypass=1 x_real_ip_present=0\n\nControl (same env, no lowercase token):\n\n unzip poc.zip -d poc\n cd poc\n make test\n\nOutput contains:\n\n [CALLSITE_HIT]: pkg/middlewares/forwardedheaders/forwarded_header.go:225\n [NC_MARKER]: downstream_admin_bypass=0 x_real_ip_present=1\n\nExpected: Connection tokens are handled case-insensitively and protected identity headers (for example, X-Real-Ip and X-Forwarded-*) are not deleted due to client-supplied Connection options (regardless of token casing).\n\nActual: Lowercase Connection tokens bypass the protection check and still trigger deletion of traefik-managed identity headers (for example, X-Real-Ip).\n\n### Recommended Fix\n\n- Case-fold (or otherwise canonicalize) Connection header tokens before comparing them against protected header names.\n- Add a regression test covering lowercase tokens (for example, Connection: x-real-ip).\n\nFix accepted when: a request with Connection: x-real-ip does not cause deletion of traefik-managed X-Real-Ip, and a regression test covers this behavior.\n\n\u003c/details\u003e",
"id": "GHSA-92mv-8f8w-wq52",
"modified": "2026-03-05T22:37:26Z",
"published": "2026-03-04T21:19:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-92mv-8f8w-wq52"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29054"
},
{
"type": "PACKAGE",
"url": "https://github.com/traefik/traefik"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.38"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "traefik CVE-2024-45410 fix bypass: lowercase `Connection` tokens can delete traefik-managed forwarded identity headers (for example, `X-Real-Ip`)"
}
GHSA-9685-44WP-34GM
Vulnerability from github – Published: 2025-04-29 15:31 – Updated: 2026-06-30 15:30A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set cookies for domains it does not own, potentially leading to integrity issues such as session fixation.
{
"affected": [],
"aliases": [
"CVE-2025-4035"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-29T13:15:45Z",
"severity": "MODERATE"
},
"details": "A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set cookies for domains it does not own, potentially leading to integrity issues such as session fixation.",
"id": "GHSA-9685-44wp-34gm",
"modified": "2026-06-30T15:30:30Z",
"published": "2025-04-29T15:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4035"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:8128"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-4035"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362651"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/443"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libsoup/-/work_items/443"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-98CH-45WP-CH47
Vulnerability from github – Published: 2026-04-07 18:15 – Updated: 2026-04-07 18:15Summary
Before OpenClaw 2026.4.2, system-run approval binding normalized environment override keys differently from host execution. Windows-compatible keys could be omitted from the approval binding while still being injected at execution time.
Impact
An approved command could run with attacker-chosen environment overrides that were not represented in the approval binding. This created an approval-integrity gap for affected host-exec flows.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.4.1 - Patched versions:
>= 2026.4.2 - Latest published npm version:
2026.4.1
Fix Commit(s)
7eb094a00d80e9f6bf0e62f2c45d3b88ff67c04d— align approval binding with execution-time env-key normalization
Release Process Note
The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live.
Thanks @iskindar for reporting, and thanks @wsparks-vc for coordination.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.4.1"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-07T18:15:48Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nBefore OpenClaw 2026.4.2, system-run approval binding normalized environment override keys differently from host execution. Windows-compatible keys could be omitted from the approval binding while still being injected at execution time.\n\n## Impact\n\nAn approved command could run with attacker-chosen environment overrides that were not represented in the approval binding. This created an approval-integrity gap for affected host-exec flows.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.4.1`\n- Patched versions: `\u003e= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `7eb094a00d80e9f6bf0e62f2c45d3b88ff67c04d` \u2014 align approval binding with execution-time env-key normalization\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @iskindar for reporting, and thanks @wsparks-vc for coordination.",
"id": "GHSA-98ch-45wp-ch47",
"modified": "2026-04-07T18:15:48Z",
"published": "2026-04-07T18:15:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-98ch-45wp-ch47"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/7eb094a00d80e9f6bf0e62f2c45d3b88ff67c04d"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Windows-compatible env override keys could bypass system.run approval binding"
}
GHSA-9CG4-M358-CC47
Vulnerability from github – Published: 2022-04-30 18:13 – Updated: 2024-01-26 18:30Unify eWave ServletExec allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.
{
"affected": [],
"aliases": [
"CVE-2000-0498"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2000-06-08T04:00:00Z",
"severity": "MODERATE"
},
"details": "Unify eWave ServletExec allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.",
"id": "GHSA-9cg4-m358-cc47",
"modified": "2024-01-26T18:30:28Z",
"published": "2022-04-30T18:13:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2000-0498"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/4649"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0250.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/1328"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9FXF-PGC8-6FJQ
Vulnerability from github – Published: 2022-04-30 18:13 – Updated: 2024-01-26 18:30IBM WebSphere server 3.0.2 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.
{
"affected": [],
"aliases": [
"CVE-2000-0497"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2000-06-08T04:00:00Z",
"severity": "MODERATE"
},
"details": "IBM WebSphere server 3.0.2 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.",
"id": "GHSA-9fxf-pgc8-6fjq",
"modified": "2024-01-26T18:30:28Z",
"published": "2022-04-30T18:13:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2000-0497"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/ntbugtraq/2000-q2/0263.html"
},
{
"type": "WEB",
"url": "http://www-4.ibm.com/software/webservers/appserv/efix.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/1328"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9M9W-GXF7-RH8M
Vulnerability from github – Published: 2026-07-10 00:03 – Updated: 2026-07-10 00:03Summary
Tesla.Middleware.FollowRedirects is meant to strip the Authorization header when following a cross-origin redirect, but performs the check with a case-sensitive comparison against the lowercase string "authorization". Because Tesla preserves header keys exactly as supplied by the caller, any application that sets the header with its RFC 7235 canonical casing ("Authorization") bypasses the filter entirely, leaking bearer tokens or other credentials to whatever origin the redirect points at.
Details
The filter list in lib/tesla/middleware/follow_redirects.ex is defined as @filter_headers ["authorization", "host"] and the membership check k not in @filter_headers compares the raw key string without case normalization. HTTP header names are case-insensitive per RFC 7230, but Tesla stores them verbatim. A header tuple {"Authorization", "Bearer …"} does not match "authorization", so it passes through the filter and is forwarded to the redirect destination unchecked. The same defect applies to the "Host" entry.
An attacker who can control a Location: response seen by the victim client (their own endpoint, a redirect-open service, or a compromised upstream) receives the credential on the cross-origin follow. No special configuration is required beyond the victim using the standard header casing.
PoC
- Configure a Tesla client with
Tesla.Middleware.FollowRedirectsand set theAuthorizationheader using canonical casing ({"Authorization", "Bearer <token>"}). - Make a request to an endpoint that returns a
302redirect to a different origin. - Observe that the
Authorizationheader with its value is present in the request delivered to the redirect destination.
Impact
High severity (CVSS v4.0: 8.2). Any application using tesla 1.4.0 through 1.18.2 with Tesla.Middleware.FollowRedirects and a non-lowercase Authorization header is affected. The workaround is to use all-lowercase "authorization" as the header key until upgrading to 1.18.3.
Workarounds
Normalize all header keys to lowercase before passing them to Tesla. Use "authorization" instead of "Authorization" when setting headers via Tesla.put_header/3 or Tesla.Middleware.Headers.
Resources
- Introduction commit: https://github.com/elixir-tesla/tesla/commit/2d937d5813d7cda5cd726f41824985fb655c920f
- Patch commit: https://github.com/elixir-tesla/tesla/commit/db963dba67651b9abd1fc420a1d9679cf6efe182
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "tesla"
},
"ranges": [
{
"events": [
{
"introduced": "0.6.0"
},
{
"fixed": "1.18.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48595"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-10T00:03:31Z",
"nvd_published_at": "2026-06-02T20:16:38Z",
"severity": "HIGH"
},
"details": "### Summary\n\n`Tesla.Middleware.FollowRedirects` is meant to strip the `Authorization` header when following a cross-origin redirect, but performs the check with a case-sensitive comparison against the lowercase string `\"authorization\"`. Because Tesla preserves header keys exactly as supplied by the caller, any application that sets the header with its RFC 7235 canonical casing (`\"Authorization\"`) bypasses the filter entirely, leaking bearer tokens or other credentials to whatever origin the redirect points at.\n\n### Details\n\nThe filter list in `lib/tesla/middleware/follow_redirects.ex` is defined as `@filter_headers [\"authorization\", \"host\"]` and the membership check `k not in @filter_headers` compares the raw key string without case normalization. HTTP header names are case-insensitive per RFC 7230, but Tesla stores them verbatim. A header tuple `{\"Authorization\", \"Bearer \u2026\"}` does not match `\"authorization\"`, so it passes through the filter and is forwarded to the redirect destination unchecked. The same defect applies to the `\"Host\"` entry.\n\nAn attacker who can control a `Location:` response seen by the victim client (their own endpoint, a redirect-open service, or a compromised upstream) receives the credential on the cross-origin follow. No special configuration is required beyond the victim using the standard header casing.\n\n### PoC\n\n1. Configure a Tesla client with `Tesla.Middleware.FollowRedirects` and set the `Authorization` header using canonical casing (`{\"Authorization\", \"Bearer \u003ctoken\u003e\"}`).\n2. Make a request to an endpoint that returns a `302` redirect to a different origin.\n3. Observe that the `Authorization` header with its value is present in the request delivered to the redirect destination.\n\n### Impact\n\nHigh severity (CVSS v4.0: 8.2). Any application using `tesla` 1.4.0 through 1.18.2 with `Tesla.Middleware.FollowRedirects` and a non-lowercase `Authorization` header is affected. The workaround is to use all-lowercase `\"authorization\"` as the header key until upgrading to 1.18.3.\n\n### Workarounds\n\nNormalize all header keys to lowercase before passing them to Tesla. Use `\"authorization\"` instead of `\"Authorization\"` when setting headers via `Tesla.put_header/3` or `Tesla.Middleware.Headers`.\n\n### Resources\n\n* Introduction commit: https://github.com/elixir-tesla/tesla/commit/2d937d5813d7cda5cd726f41824985fb655c920f\n* Patch commit: https://github.com/elixir-tesla/tesla/commit/db963dba67651b9abd1fc420a1d9679cf6efe182",
"id": "GHSA-9m9w-gxf7-rh8m",
"modified": "2026-07-10T00:03:31Z",
"published": "2026-07-10T00:03:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/elixir-tesla/tesla/security/advisories/GHSA-9m9w-gxf7-rh8m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48595"
},
{
"type": "WEB",
"url": "https://github.com/elixir-tesla/tesla/commit/db963dba67651b9abd1fc420a1d9679cf6efe182"
},
{
"type": "WEB",
"url": "https://cna.erlef.org/cves/CVE-2026-48595.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/elixir-tesla/tesla"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-48595"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Tesla: Authorization header leaks on cross-origin redirect via case-sensitive filtering"
}
GHSA-C24V-8RFC-W8VW
Vulnerability from github – Published: 2024-01-19 21:58 – Updated: 2024-01-19 21:58Summary
Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.
This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.
Patches
Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17
Details
Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.
See picomatch usage, where nocase is defaulted to false: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632
By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.
PoC
Setup
1. Created vanilla Vite project using npm create vite@latest on a Standard Azure hosted Windows 10 instance.
- npm run dev -- --host 0.0.0.0
- Publicly accessible for the time being here: http://20.12.242.81:5173/
2. Created dummy secret files, e.g. custom.secret and production.pem
3. Populated vite.config.js with
export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }
Reproduction
1. curl -s http://20.12.242.81:5173/@fs//
- Descriptive error page reveals absolute filesystem path to project root
2. curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js
- Discoverable configuration file reveals locations of secrets
3. curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT
- Secrets are directly accessible using case-augmented version of filename
Proof

Impact
Who - Users with exposed dev servers on environments with case-insensitive filesystems
What
- Files protected by server.fs.deny are both discoverable, and accessible
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.9.16"
},
"package": {
"ecosystem": "npm",
"name": "vite"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.9.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.2.7"
},
"package": {
"ecosystem": "npm",
"name": "vite"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.2.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.5.1"
},
"package": {
"ecosystem": "npm",
"name": "vite"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.0.11"
},
"package": {
"ecosystem": "npm",
"name": "vite"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-23331"
],
"database_specific": {
"cwe_ids": [
"CWE-178",
"CWE-200",
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-19T21:58:47Z",
"nvd_published_at": "2024-01-19T20:15:14Z",
"severity": "HIGH"
},
"details": "### Summary\n[Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.\n\nThis bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.\n\n### Patches\nFixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17\n\n### Details\nSince `picomatch` defaults to case-sensitive glob matching, but the file server doesn\u0027t discriminate; a blacklist bypass is possible. \n\nSee `picomatch` usage, where `nocase` is defaulted to `false`: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632\n\nBy requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. \n\n### PoC\n**Setup**\n1. Created vanilla Vite project using `npm create vite@latest` on a Standard Azure hosted Windows 10 instance. \n - `npm run dev -- --host 0.0.0.0`\n - Publicly accessible for the time being here: http://20.12.242.81:5173/ \n2. Created dummy secret files, e.g. `custom.secret` and `production.pem`\n3. Populated `vite.config.js` with\n```javascript\nexport default { server: { fs: { deny: [\u0027.env\u0027, \u0027.env.*\u0027, \u0027*.{crt,pem}\u0027, \u0027custom.secret\u0027] } } }\n```\n\n**Reproduction**\n1. `curl -s http://20.12.242.81:5173/@fs//`\n - Descriptive error page reveals absolute filesystem path to project root\n2. `curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js`\n - Discoverable configuration file reveals locations of secrets\n3. `curl -s http://20.12.242.81:5173/@fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT`\n - Secrets are directly accessible using case-augmented version of filename\n\n**Proof**\n\n\n### Impact\n**Who**\n- Users with exposed dev servers on environments with case-insensitive filesystems\n\n**What**\n- Files protected by `server.fs.deny` are both discoverable, and accessible",
"id": "GHSA-c24v-8rfc-w8vw",
"modified": "2024-01-19T21:58:47Z",
"published": "2024-01-19T21:58:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34092"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23331"
},
{
"type": "WEB",
"url": "https://github.com/vitejs/vite/commit/0cd769c279724cf27934b1270fbdd45d68217691"
},
{
"type": "WEB",
"url": "https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5"
},
{
"type": "WEB",
"url": "https://github.com/vitejs/vite/commit/a26c87d20f9af306b5ce3ff1648be7fa5146c278"
},
{
"type": "WEB",
"url": "https://github.com/vitejs/vite/commit/eeec23bbc9d476c54a3a6d36e78455867185a7cb"
},
{
"type": "PACKAGE",
"url": "https://github.com/vitejs/vite"
},
{
"type": "WEB",
"url": "https://vitejs.dev/config/server-options.html#server-fs-deny"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem"
}
GHSA-C29F-V77W-5564
Vulnerability from github – Published: 2022-04-30 18:16 – Updated: 2024-02-02 03:30Perception LiteServe 1.25 allows remote attackers to obtain source code of CGI scripts via URLs that contain MS-DOS conventions such as (1) upper case letters or (2) 8.3 file names.
{
"affected": [],
"aliases": [
"CVE-2001-0795"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2001-10-18T04:00:00Z",
"severity": "MODERATE"
},
"details": "Perception LiteServe 1.25 allows remote attackers to obtain source code of CGI scripts via URLs that contain MS-DOS conventions such as (1) upper case letters or (2) 8.3 file names.",
"id": "GHSA-c29f-v77w-5564",
"modified": "2024-02-02T03:30:30Z",
"published": "2022-04-30T18:16:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2001-0795"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2001-06/0328.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/2926"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C8CF-4F7H-CCJ4
Vulnerability from github – Published: 2022-04-30 18:17 – Updated: 2024-02-02 03:30Task Manager in Windows 2000 does not allow local users to end processes with uppercase letters named (1) winlogon.exe, (2) csrss.exe, (3) smss.exe and (4) services.exe via the Process tab which could allow local users to install Trojan horses that cannot be stopped with the Task Manager.
{
"affected": [],
"aliases": [
"CVE-2001-1238"
],
"database_specific": {
"cwe_ids": [
"CWE-178"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2001-07-16T04:00:00Z",
"severity": "MODERATE"
},
"details": "Task Manager in Windows 2000 does not allow local users to end processes with uppercase letters named (1) winlogon.exe, (2) csrss.exe, (3) smss.exe and (4) services.exe via the Process tab which could allow local users to install Trojan horses that cannot be stopped with the Task Manager.",
"id": "GHSA-c8cf-4f7h-ccj4",
"modified": "2024-02-02T03:30:29Z",
"published": "2022-04-30T18:17:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2001-1238"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/6919"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/197195"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/3033"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-44
Strategy: Input Validation
Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
No CAPEC attack patterns related to this CWE.