CWE-348
AllowedUse of Less Trusted Source
Abstraction: Base · Status: Draft
The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
114 vulnerabilities reference this CWE, most recent first.
GHSA-HC7R-6254-88W5
Vulnerability from github – Published: 2026-04-10 18:31 – Updated: 2026-04-10 18:31In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.
{
"affected": [],
"aliases": [
"CVE-2026-40226"
],
"database_specific": {
"cwe_ids": [
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-10T16:16:33Z",
"severity": "MODERATE"
},
"details": "In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.",
"id": "GHSA-hc7r-6254-88w5",
"modified": "2026-04-10T18:31:18Z",
"published": "2026-04-10T18:31:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40226"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HGCH-F8PJ-55CF
Vulnerability from github – Published: 2025-12-28 21:30 – Updated: 2025-12-28 21:30A security vulnerability has been detected in PbootCMS up to 3.2.12. The affected element is the function get_user_ip of the file core/function/handle.php of the component Header Handler. The manipulation of the argument X-Forwarded-For leads to use of less trusted source. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-15154"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-28T21:15:54Z",
"severity": "MODERATE"
},
"details": "A security vulnerability has been detected in PbootCMS up to 3.2.12. The affected element is the function get_user_ip of the file core/function/handle.php of the component Header Handler. The manipulation of the argument X-Forwarded-For leads to use of less trusted source. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.",
"id": "GHSA-hgch-f8pj-55cf",
"modified": "2025-12-28T21:30:25Z",
"published": "2025-12-28T21:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15154"
},
{
"type": "WEB",
"url": "https://note-hxlab.wetolink.com/share/JyBNgF8JagWQ"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.338532"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.338532"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.719818"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HJ78-P4H7-M5FV
Vulnerability from github – Published: 2025-01-28 19:15 – Updated: 2025-03-17 20:23Problem Description
A vulnerability in the account linking logic of the extension allows a pre-hijacking attack leading to Account Takeover. The attack can only be exploited if the following requirements are met:
- An attacker can anticipate the email address of the user.
- An attacker can register a public frontend user account using that email address before the user's first OIDC login.
- The IDP returns the field email containing the email address of the user
Solution
An updated versions 4.0.0 is available from the TYPO3 extension manager, packagist and at https://extensions.typo3.org/extension/download/oidc/4.0.0/zip
Users of the extension are advised to update the extension as soon as possible.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "causal/oidc"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "4.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24856"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-348",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-28T19:15:44Z",
"nvd_published_at": "2025-03-16T04:15:14Z",
"severity": "MODERATE"
},
"details": "## Problem Description\nA vulnerability in the account linking logic of the extension allows a pre-hijacking attack leading to Account Takeover. The attack can only be exploited if the following requirements are met:\n\n- An attacker can anticipate the email address of the user.\n- An attacker can register a public frontend user account using that email address before the user\u0027s first OIDC login.\n- The IDP returns the field email containing the email address of the user\n\n## Solution\nAn updated versions 4.0.0 is available from the TYPO3 extension manager, packagist and at \nhttps://extensions.typo3.org/extension/download/oidc/4.0.0/zip\n\nUsers of the extension are advised to update the extension as soon as possible.",
"id": "GHSA-hj78-p4h7-m5fv",
"modified": "2025-03-17T20:23:43Z",
"published": "2025-01-28T19:15:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24856"
},
{
"type": "WEB",
"url": "https://github.com/xperseguers/t3ext-oidc/commit/877e09f6faf4c87bbb41233112ec7e30d3c902b3"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/causal/oidc/CVE-2025-24856.yaml"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2025-001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "TYPO3-EXT-SA-2025-001: Account Takeover in extension \"OpenID Connect Authentication\" (oidc)"
}
GHSA-HVM7-86PV-V2P2
Vulnerability from github – Published: 2026-04-03 03:31 – Updated: 2026-04-03 03:31Shynet before 0.14.0 allows Host header injection in the password reset flow.
{
"affected": [],
"aliases": [
"CVE-2026-35507"
],
"database_specific": {
"cwe_ids": [
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-03T02:16:15Z",
"severity": "MODERATE"
},
"details": "Shynet before 0.14.0 allows Host header injection in the password reset flow.",
"id": "GHSA-hvm7-86pv-v2p2",
"modified": "2026-04-03T03:31:01Z",
"published": "2026-04-03T03:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35507"
},
{
"type": "WEB",
"url": "https://github.com/milesmcc/shynet/pull/345"
},
{
"type": "WEB",
"url": "https://github.com/milesmcc/shynet/releases/tag/v0.14.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-JMPJ-W6Q2-9WPP
Vulnerability from github – Published: 2024-10-08 09:30 – Updated: 2024-10-08 09:30The Limit Login Attempts (Spam Protection) plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.3. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in.
{
"affected": [],
"aliases": [
"CVE-2022-4534"
],
"database_specific": {
"cwe_ids": [
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-08T09:15:07Z",
"severity": "MODERATE"
},
"details": "The Limit Login Attempts (Spam Protection) plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.3. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in.",
"id": "GHSA-jmpj-w6q2-9wpp",
"modified": "2024-10-08T09:30:53Z",
"published": "2024-10-08T09:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4534"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-limit-failed-login-attempts/tags/5.3/login.php#L466"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3163023"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/561ec1b2-ee26-4e0c-b437-d70b04be5b4c?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PGQ3-H7J5-W9FW
Vulnerability from github – Published: 2025-06-13 09:30 – Updated: 2025-06-13 09:30RICOH Streamline NX V3 PC Client versions 3.5.0 to 3.7.0 contains an issue with use of less trusted source, which may allow an attacker who can conduct a man-in-the-middle attack to eavesdrop upgrade requests and execute a malicious DLL with custom code.
{
"affected": [],
"aliases": [
"CVE-2025-48825"
],
"database_specific": {
"cwe_ids": [
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-13T09:15:19Z",
"severity": "LOW"
},
"details": "RICOH Streamline NX V3 PC Client versions 3.5.0 to 3.7.0 contains an issue with use of less trusted source, which may allow an attacker who can conduct a man-in-the-middle attack to eavesdrop upgrade requests and execute a malicious DLL with custom code.",
"id": "GHSA-pgq3-h7j5-w9fw",
"modified": "2025-06-13T09:30:34Z",
"published": "2025-06-13T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48825"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN27937557"
},
{
"type": "WEB",
"url": "https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2025-000006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PMHP-PR8X-258Q
Vulnerability from github – Published: 2026-06-19 15:33 – Updated: 2026-06-23 15:32Use of Less Trusted Source vulnerability in Apache APISIX.
Attacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules. This issue affects Apache APISIX: from 1.2.0 through 3.16.0.
Users are recommended to upgrade to version 3.17.0, which fixes the issue.
{
"affected": [],
"aliases": [
"CVE-2026-44046"
],
"database_specific": {
"cwe_ids": [
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-19T14:16:22Z",
"severity": "LOW"
},
"details": "Use of Less Trusted Source vulnerability in Apache APISIX.\n\nAttacker can take advantage of wolf-rbac plugin under default configuration to potentially pollute logs with spoofed identity information and exploit IP based access control rules.\nThis issue affects Apache APISIX: from 1.2.0 through 3.16.0.\n\nUsers are recommended to upgrade to version 3.17.0, which fixes the issue.",
"id": "GHSA-pmhp-pr8x-258q",
"modified": "2026-06-23T15:32:30Z",
"published": "2026-06-19T15:33:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44046"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/xkshmps51b24yw0qckl5h5ddyv0x6qf9"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/19/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q3Q7-94PW-4C94
Vulnerability from github – Published: 2025-08-20 06:30 – Updated: 2025-08-20 06:30Movable Type contains an issue with use of less trusted source. If exploited, tampered email to reset a password may be sent by a remote unauthenticated attacker.
{
"affected": [],
"aliases": [
"CVE-2025-53522"
],
"database_specific": {
"cwe_ids": [
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-20T05:15:27Z",
"severity": "MODERATE"
},
"details": "Movable Type contains an issue with use of less trusted source. If exploited, tampered email to reset a password may be sent by a remote unauthenticated attacker.",
"id": "GHSA-q3q7-94pw-4c94",
"modified": "2025-08-20T06:30:26Z",
"published": "2025-08-20T06:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53522"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN76729865"
},
{
"type": "WEB",
"url": "https://movabletype.org/news/2025/08/mt-843-released.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q65V-97CJ-P6RH
Vulnerability from github – Published: 2023-07-06 21:14 – Updated: 2026-04-08 18:32The Hide My WP Ghost – Security Plugin plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.18. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address from logging in.
{
"affected": [],
"aliases": [
"CVE-2022-4537"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-09T03:15:09Z",
"severity": "MODERATE"
},
"details": "The Hide My WP Ghost \u2013 Security Plugin plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 5.0.18. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address from logging in.",
"id": "GHSA-q65v-97cj-p6rh",
"modified": "2026-04-08T18:32:04Z",
"published": "2023-07-06T21:14:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4537"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/hide-my-wp/tags/5.0.18/models/Brute.php#L131"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/hide-my-wp/trunk/models/Brute.php#L132"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4cf89f94-587a-4fed-a6e4-3876b7dbc9ba?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q7P4-7XJV-J3WF
Vulnerability from github – Published: 2025-05-29 16:50 – Updated: 2025-05-30 15:25Summary
Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers.
Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should trust these headers, allowing HTTP clients to remove or modify them creates potential security vulnerabilities.
However, it was found that some of these custom headers can indeed be removed and, in certain cases, manipulated. The attack relies on the behavior that headers can be defined as hop-by-hop via the HTTP Connection header. By setting the following connection header, the X-Forwarded-Host header can, for example, be removed:
Connection: close, X-Forwarded-Host
Similar critical vulnerabilities have been identified in other web servers and proxies, including CVE-2022-31813 in Apache HTTP Server and CVE-2024-45410 in Traefik.
Details
It was found that the following headers can be removed in this way (i.e. by specifying them within a connection header): - X-Forwarded-Host - X-Forwarded-Port - X-Forwarded-Proto - X-Real-Ip - Forwarded
PoC
The following docker-compose file was used for testing:
version: '3'
services:
fabio:
image: fabiolb/fabio
ports:
- "3000:9999"
- "9998:9998"
volumes:
- ./fabio.properties:/etc/fabio/fabio.properties
backend:
build: .
ports:
- "8080:8080"
environment:
- PYTHONUNBUFFERED=1
The fabio.properties configuration:
proxy.addr = :9999
ui.addr = :9998
registry.backend = static
registry.static.routes = route add service / http://backend:8080/
A Python container runs a simple HTTP server that logs received headers. The Dockerfile:
FROM python:3.11-slim
WORKDIR /app
COPY app.py .
RUN pip install flask
EXPOSE 8080
CMD ["python", "app.py"]
Python Flask Server
from flask import Flask, request
import sys
import os
sys.stdout.flush()
sys.stderr.flush()
os.environ['PYTHONUNBUFFERED'] = '1'
app = Flask(__name__)
@app.before_request
def log_request_info():
print("HEADERS:")
for header_name, header_value in request.headers:
print(f" {header_name}: {header_value}")
@app.route("/", methods=['GET', 'POST', 'PUT', 'DELETE', 'PATCH'])
def hello():
return f"Hello, World! Method: {request.method}"
@app.route("/<path:path>", methods=['GET', 'POST', 'PUT', 'DELETE', 'PATCH'])
def catch_all(path):
return f"Caught path: {path}, Method: {request.method}"
if __name__ == "__main__":
app.run(host="0.0.0.0", port=8080, debug=True)
A normal HTTP request/response pair looks like this:
Request
GET / HTTP/1.1
Host: 127.0.0.1:3000
User-Agent: curl/8.7.1
Accept: */*
Connection: keep-alive
curl command
curl --path-as-is -i -s -k -X $'GET' \
-H $'Host: 127.0.0.1:3000' -H $'User-Agent: curl/8.7.1' -H $'Accept: */*' -H $'Connection: keep-alive' \
$'http://127.0.0.1:3000/'
Response
HTTP/1.1 200 OK
Server: Werkzeug/3.1.3 Python/3.11.12
Date: Thu, 22 May 2025 23:09:12 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 25
Connection: close
Hello, World! Method: GET
Server Log
backend-1 | HEADERS:
backend-1 | Host: 127.0.0.1:3000
backend-1 | User-Agent: curl/8.7.1
backend-1 | Accept: */*
backend-1 | Forwarded: for=192.168.65.1; proto=http; by=172.24.0.3; httpproto=http/1.1
backend-1 | X-Forwarded-For: 192.168.65.1
backend-1 | X-Forwarded-Host: 127.0.0.1:3000
backend-1 | X-Forwarded-Port: 3000
backend-1 | X-Forwarded-Proto: http
backend-1 | X-Real-Ip: 192.168.65.1
Next, a request, where the Forwarded header is defined as a hop-by-hop header via the Connection header is sent:
Request
GET / HTTP/1.1
Host: 127.0.0.1:3000
User-Agent: curl/8.7.1
Accept: */*
yeet: 123
Connection: keep-alive, Forwarded
curl command
curl --path-as-is -i -s -k -X $'GET' \
-H $'Host: 127.0.0.1:3000' -H $'User-Agent: curl/8.7.1' -H $'Accept: */*' -H $'Connection: keep-alive, Forwarded' \
$'http://127.0.0.1:3000/'
Response
HTTP/1.1 200 OK
Content-Length: 25
Content-Type: text/html; charset=utf-8
Date: Thu, 22 May 2025 23:42:45 GMT
Server: Werkzeug/3.1.3 Python/3.11.12
Hello, World! Method: GET
Server Logs
backend-1 | HEADERS:
backend-1 | Host: 127.0.0.1:3000
backend-1 | User-Agent: curl/8.7.1
backend-1 | Accept: */*
backend-1 | X-Forwarded-For: 192.168.65.1
backend-1 | X-Forwarded-Host: 127.0.0.1:3000
backend-1 | X-Forwarded-Port: 3000
backend-1 | X-Forwarded-Proto: http
backend-1 | X-Real-Ip: 192.168.65.1
The response shows that Fabio's Forwarded header was removed from the request
Impact
If the backend application trusts these custom headers for security-sensitive operations, their removal or modification may lead to vulnerabilities such as access control bypass.
This vulnerability has a critical severity rating similar to CVE-2022-31813 (Apache HTTP Server, 9.8) and CVE-2024-45410 (Traefik, 9.3)
Stripping headers like X-Real-IP can confuse the upstream server about whether the request is coming from an external client through the reverse proxy or from an internal source. This type of vulnerability can be exploited as demonstrated in: Versa Concerto RCE.
References
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.6.5"
},
"package": {
"ecosystem": "Go",
"name": "github.com/fabiolb/fabio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48865"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-348"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-29T16:50:58Z",
"nvd_published_at": "2025-05-30T07:15:23Z",
"severity": "CRITICAL"
},
"details": "### Summary\nFabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers.\n\nFabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should trust these headers, allowing HTTP clients to remove or modify them creates potential security vulnerabilities.\n\nHowever, it was found that some of these custom headers can indeed be removed and, in certain cases, manipulated. The attack relies on the behavior that headers can be defined as hop-by-hop via the HTTP Connection header. By setting the following connection header, the X-Forwarded-Host header can, for example, be removed:\n\n```\nConnection: close, X-Forwarded-Host\n```\n\nSimilar critical vulnerabilities have been identified in other web servers and proxies, including [CVE-2022-31813](https://nvd.nist.gov/vuln/detail/CVE-2022-31813) in Apache HTTP Server and [CVE-2024-45410](https://github.com/advisories/GHSA-62c8-mh53-4cqv) in Traefik.\n\n### Details\nIt was found that the following headers can be removed in this way (i.e. by specifying them within a connection header):\n- X-Forwarded-Host\n- X-Forwarded-Port\n- X-Forwarded-Proto\n- X-Real-Ip\n- Forwarded\n\n### PoC\nThe following docker-compose file was used for testing:\n```yml\nversion: \u00273\u0027\nservices:\n fabio:\n image: fabiolb/fabio\n ports:\n - \"3000:9999\"\n - \"9998:9998\"\n volumes:\n - ./fabio.properties:/etc/fabio/fabio.properties\n\n backend:\n build: .\n ports:\n - \"8080:8080\"\n environment:\n - PYTHONUNBUFFERED=1\n```\n\nThe fabio.properties configuration:\n```\nproxy.addr = :9999\nui.addr = :9998\nregistry.backend = static\nregistry.static.routes = route add service / http://backend:8080/\n```\n\nA Python container runs a simple HTTP server that logs received headers.\nThe Dockerfile:\n```dockerfile\nFROM python:3.11-slim\n\nWORKDIR /app\n\nCOPY app.py .\n\nRUN pip install flask\n\nEXPOSE 8080\n\nCMD [\"python\", \"app.py\"]\n```\n\nPython Flask Server\n```python\nfrom flask import Flask, request\nimport sys\nimport os\n\nsys.stdout.flush()\nsys.stderr.flush()\nos.environ[\u0027PYTHONUNBUFFERED\u0027] = \u00271\u0027\n\napp = Flask(__name__)\n\n@app.before_request\ndef log_request_info():\n print(\"HEADERS:\")\n for header_name, header_value in request.headers:\n print(f\" {header_name}: {header_value}\")\n\n@app.route(\"/\", methods=[\u0027GET\u0027, \u0027POST\u0027, \u0027PUT\u0027, \u0027DELETE\u0027, \u0027PATCH\u0027])\ndef hello():\n return f\"Hello, World! Method: {request.method}\"\n\n@app.route(\"/\u003cpath:path\u003e\", methods=[\u0027GET\u0027, \u0027POST\u0027, \u0027PUT\u0027, \u0027DELETE\u0027, \u0027PATCH\u0027])\ndef catch_all(path):\n return f\"Caught path: {path}, Method: {request.method}\"\n\nif __name__ == \"__main__\":\n app.run(host=\"0.0.0.0\", port=8080, debug=True)\n```\n\nA normal HTTP request/response pair looks like this:\n#### Request \n```http\nGET / HTTP/1.1\nHost: 127.0.0.1:3000\nUser-Agent: curl/8.7.1\nAccept: */*\nConnection: keep-alive\n```\n\ncurl command\n```bash\ncurl --path-as-is -i -s -k -X $\u0027GET\u0027 \\\n -H $\u0027Host: 127.0.0.1:3000\u0027 -H $\u0027User-Agent: curl/8.7.1\u0027 -H $\u0027Accept: */*\u0027 -H $\u0027Connection: keep-alive\u0027 \\\n $\u0027http://127.0.0.1:3000/\u0027\n```\n#### Response\n```http\nHTTP/1.1 200 OK\nServer: Werkzeug/3.1.3 Python/3.11.12\nDate: Thu, 22 May 2025 23:09:12 GMT\nContent-Type: text/html; charset=utf-8\nContent-Length: 25\nConnection: close\n\nHello, World! Method: GET\n```\n\nServer Log\n```\nbackend-1 | HEADERS:\nbackend-1 | Host: 127.0.0.1:3000\nbackend-1 | User-Agent: curl/8.7.1\nbackend-1 | Accept: */*\nbackend-1 | Forwarded: for=192.168.65.1; proto=http; by=172.24.0.3; httpproto=http/1.1\nbackend-1 | X-Forwarded-For: 192.168.65.1\nbackend-1 | X-Forwarded-Host: 127.0.0.1:3000\nbackend-1 | X-Forwarded-Port: 3000\nbackend-1 | X-Forwarded-Proto: http\nbackend-1 | X-Real-Ip: 192.168.65.1\n```\n\nNext, a request, where the Forwarded header is defined as a hop-by-hop header via the Connection header is sent:\n#### Request\n```http\nGET / HTTP/1.1\nHost: 127.0.0.1:3000\nUser-Agent: curl/8.7.1\nAccept: */*\nyeet: 123\nConnection: keep-alive, Forwarded\n```\n\ncurl command\n```bash\ncurl --path-as-is -i -s -k -X $\u0027GET\u0027 \\\n -H $\u0027Host: 127.0.0.1:3000\u0027 -H $\u0027User-Agent: curl/8.7.1\u0027 -H $\u0027Accept: */*\u0027 -H $\u0027Connection: keep-alive, Forwarded\u0027 \\\n $\u0027http://127.0.0.1:3000/\u0027\n```\n#### Response\n```http\nHTTP/1.1 200 OK\nContent-Length: 25\nContent-Type: text/html; charset=utf-8\nDate: Thu, 22 May 2025 23:42:45 GMT\nServer: Werkzeug/3.1.3 Python/3.11.12\n\nHello, World! Method: GET\n```\n\nServer Logs\n```\nbackend-1 | HEADERS:\nbackend-1 | Host: 127.0.0.1:3000\nbackend-1 | User-Agent: curl/8.7.1\nbackend-1 | Accept: */*\nbackend-1 | X-Forwarded-For: 192.168.65.1\nbackend-1 | X-Forwarded-Host: 127.0.0.1:3000\nbackend-1 | X-Forwarded-Port: 3000\nbackend-1 | X-Forwarded-Proto: http\nbackend-1 | X-Real-Ip: 192.168.65.1\n```\n\nThe response shows that Fabio\u0027s `Forwarded` header was removed from the request\n\n### Impact\nIf the backend application trusts these custom headers for security-sensitive operations, their removal or modification may lead to vulnerabilities such as access control bypass.\n\nThis vulnerability has a critical severity rating similar to [CVE-2022-31813](https://nvd.nist.gov/vuln/detail/CVE-2022-31813) (Apache HTTP Server, 9.8) and [CVE-2024-45410](https://github.com/advisories/GHSA-62c8-mh53-4cqv) (Traefik, 9.3)\n\nStripping headers like `X-Real-IP` can confuse the upstream server about whether the request is coming from an external client through the reverse proxy or from an internal source. This type of vulnerability can be exploited as demonstrated in: [Versa Concerto RCE](https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce).\n\n### References\n- [CVE-2024-45410](https://github.com/advisories/GHSA-62c8-mh53-4cqv) \n- [CVE-2022-31813](https://nvd.nist.gov/vuln/detail/CVE-2022-31813)\n- [Versa Concerto RCE](https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce)",
"id": "GHSA-q7p4-7xjv-j3wf",
"modified": "2025-05-30T15:25:57Z",
"published": "2025-05-29T16:50:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fabiolb/fabio/security/advisories/GHSA-q7p4-7xjv-j3wf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48865"
},
{
"type": "WEB",
"url": "https://github.com/fabiolb/fabio/commit/fdaf1e966162e9dd3b347ffdd0647b39dc71a1a3"
},
{
"type": "PACKAGE",
"url": "https://github.com/fabiolb/fabio"
},
{
"type": "WEB",
"url": "https://github.com/fabiolb/fabio/releases/tag/v1.6.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Fabio allows HTTP clients to manipulate custom headers it adds"
}
No mitigation information available for this CWE.
CAPEC-141: Cache Poisoning
An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.
CAPEC-142: DNS Cache Poisoning
A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
CAPEC-73: User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.