Common Weakness Enumeration

CWE-348

Allowed

Use of Less Trusted Source

Abstraction: Base · Status: Draft

The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.

114 vulnerabilities reference this CWE, most recent first.

GHSA-5X5Q-CQF6-GJ8R

Vulnerability from github – Published: 2024-08-29 18:31 – Updated: 2024-09-04 21:35
VLAI
Summary
Serilog Client IP Spoofing vulnerability
Details

Serilog (before v2.1.0) contains a Client IP Spoofing vulnerability, which allows attackers to falsify their IP addresses in log files by specifying an arbitrary IP as a value of X-Forwarded-For or Client-Ip headers while performing HTTP requests.

It is not possible to configure Serilog.Enrichers.ClientInfo to not trust the X-Forwarded-For header.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Serilog.Enrichers.ClientInfo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-44930"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-348",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-29T21:07:16Z",
    "nvd_published_at": "2024-08-29T18:15:14Z",
    "severity": "MODERATE"
  },
  "details": "Serilog (before v2.1.0) contains a Client IP Spoofing vulnerability, which allows attackers to falsify their IP addresses in log files by specifying an arbitrary IP as a value of X-Forwarded-For or Client-Ip headers while performing HTTP requests.\n\nIt is not possible to configure Serilog.Enrichers.ClientInfo to not trust the X-Forwarded-For header.",
  "id": "GHSA-5x5q-cqf6-gj8r",
  "modified": "2024-09-04T21:35:00Z",
  "published": "2024-08-29T18:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44930"
    },
    {
      "type": "WEB",
      "url": "https://github.com/serilog-contrib/serilog-enrichers-clientinfo/issues/29"
    },
    {
      "type": "WEB",
      "url": "https://github.com/serilog-contrib/serilog-enrichers-clientinfo/pull/38"
    },
    {
      "type": "WEB",
      "url": "https://github.com/serilog-contrib/serilog-enrichers-clientinfo/commit/a72051d1900131e6fb30bcfd9491a988167fb6ac"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/serilog-contrib/serilog-enrichers-clientinfo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/serilog-contrib/serilog-enrichers-clientinfo/releases/tag/v2.1.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Serilog Client IP Spoofing vulnerability"
}

GHSA-6294-G9W5-7VM5

Vulnerability from github – Published: 2025-04-20 00:31 – Updated: 2025-04-20 00:31
VLAI
Details

SSL.com before 2025-04-19, when domain validation method 3.2.2.4.14 is used, processes certificate requests such that a trusted TLS certificate may be issued for the domain name of a requester's email address, even when the requester does not otherwise establish administrative control of that domain.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43918"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-348"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-19T22:15:14Z",
    "severity": "MODERATE"
  },
  "details": "SSL.com before 2025-04-19, when domain validation method 3.2.2.4.14 is used, processes certificate requests such that a trusted TLS certificate may be issued for the domain name of a requester\u0027s email address, even when the requester does not otherwise establish administrative control of that domain.",
  "id": "GHSA-6294-g9w5-7vm5",
  "modified": "2025-04-20T00:31:40Z",
  "published": "2025-04-20T00:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43918"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1961406"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=43738485"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-62C8-MH53-4CQV

Vulnerability from github – Published: 2024-09-19 14:48 – Updated: 2024-09-25 19:29
VLAI
Summary
HTTP client can manipulate custom HTTP headers that are added by Traefik
Details

Impact

There is a vulnerability in Traefik that allows the client to remove the X-Forwarded headers (except the header X-Forwarded-For).

Patches

  • https://github.com/traefik/traefik/releases/tag/v2.11.9
  • https://github.com/traefik/traefik/releases/tag/v3.1.3

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description ### Summary When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified. For HTTP/1.1, however, it was found that some of theses custom headers can indeed be removed and in certain cases manipulated. The attack relies on the HTTP/1.1 behavior, that headers can be defined as hop-by-hop via the HTTP Connection header. By setting the following connection header, the X-Forwarded-Host header can, for example, be removed: Connection: close, X-Forwarded-Host Depending on how the receiving application handles such cases, security implications may arise. Moreover, some application frameworks (e.g. Django) first transform the "-" to "_" signs, making it possible for the HTTP client to even modify these headers in these cases. This is similar to [CVE-2022-31813](https://nvd.nist.gov/vuln/detail/CVE-2022-31813) for Apache HTTP Server. ### Details It was found that the following headers can be removed in this way (i.e. by specifing them within a connection header): - X-Forwarded-Host - X-Forwarded-Port - X-Forwarded-Proto - X-Forwarded-Server - X-Real-Ip - X-Forwarded-Tls-Client-Cert - X-Forwarded-Tls-Client-Cert-Info ### PoC The following docker-compose file has been used for a simple setup:
services:
  traefik:
    image: traefik:v3.1
    container_name: traefik
    ports:
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik.yaml:/etc/traefik/traefik.yaml
      - ./traefik-certs:/certs

  python-http:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: python-http
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.python-http.rule=Host(`python.example.com`)"
      - "traefik.http.routers.python-http.entrypoints=websecure"
      - "traefik.http.routers.python-http.tls=true"
      - "traefik.http.services.python-http.loadbalancer.server.port=8080"
The following traefik.yaml has been used:
providers:
  docker:
    exposedByDefault: false
    watch: true
  file:
    fileName: /etc/traefik/traefik.yaml
    watch: true

entryPoints:
  websecure:
    address: ":443"

tls:
  certificates:
    - certFile: /certs/server-cert.pem
      keyFile: /certs/server-key.pem
The Python container just includes a simple Python HTTP server that prints the HTTP headers it receives. Here is the Dockerfile for the container:
FROM python:3-alpine

# Copy the Python script to the container
COPY server.py /server.py

# Set the working directory
WORKDIR /

# Command to run the Python server
CMD ["python", "/server.py"]
And here is the Python script: ``` from http.server import BaseHTTPRequestHandler, HTTPServer class RequestHandler(BaseHTTPRequestHandler): def _send_response(self): self.send_response(200) self.send_header("Content-type", "text/plain") self.end_headers() self.wfile.write(str(self.headers).encode("utf-8")) def do_GET(self): self._send_response() if __name__ == "__main__": server = HTTPServer(('0.0.0.0', 8080), RequestHandler) print("Server started on port 8080") server.serve_forever()

The environment is run with `sudo docker-compose up`.

A normal HTTP request/response pair looks like this:

**Request 1**

GET / HTTP/1.1 Host: python.example.com User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 Priority: u=0, i Connection: close

**Response 1**

HTTP/1.1 200 OK Content-Type: text/plain Date: Tue, 03 Sep 2024 06:53:49 GMT Server: BaseHTTP/0.6 Python/3.12.5 Connection: close Content-Length: 556 Host: python.example.com User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 Priority: u=0, i X-Forwarded-For: 172.20.0.1 X-Forwarded-Host: python.example.com X-Forwarded-Port: 443 X-Forwarded-Proto: https X-Forwarded-Server: 3138fe4f0a2e X-Real-Ip: 172.20.0.1

The custom headers added by Traefik can be seen in the response.

Next, a request, where the X-Forwarded-Host header is defined as a hop-by-hop header via the Connection header is sent:

**Request 2**

GET / HTTP/1.1 Host: python.example.com User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 Priority: u=0, i Connection: close, X-Forwarded-Host

**Response 2**

Host: python.example.com User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 Priority: u=0, i X-Forwarded-For: 172.20.0.1 X-Forwarded-Port: 443 X-Forwarded-Proto: https X-Forwarded-Server: 3138fe4f0a2e X-Real-Ip: 172.20.0.1

As can be seen from the response, the X-Forwarded-Host header that had been added by Traefik has been removed from the request.

Moreover, the next request/response pair demonstrates that a custom header with underscore instead of hyphen can be added:

**Request 3**

GET / HTTP/1.1 Host: python.example.com User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 Priority: u=0, i X_Forwarded_Host: myhost Connection: close, X-Forwarded-Host

**Response 3**

HTTP/1.1 200 OK Content-Type: text/plain Date: Tue, 03 Sep 2024 06:54:48 GMT Server: BaseHTTP/0.6 Python/3.12.5 Connection: close Content-Length: 544 Host: python.example.com User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7 Priority: u=0, i X-Forwarded-For: 172.20.0.1 X-Forwarded-Port: 443 X-Forwarded-Proto: https X-Forwarded-Server: 3138fe4f0a2e X-Real-Ip: 172.20.0.1 X_forwarded_host: myhost ```` Some backend frameworks (e.g. Django) handle X-Forwarded-Host and X_forwarded_host in the same way. As there is no X-Forwarded-Host header present in the request, the X_forwarded_host header will be used. It should be noted that when X-Forwarded-Host is present and a X_forwarded_host header is sent, usually the first occurence of the header will be used, which is in this case X-Forwarded-Host. It should be noted that the headers X-Forwarded-Tls-Client-Cert and X-Forwarded-Tls-Client-Cert-Info are also affected. Here, client certificate authentication would need to be enabled in the Traefik setup. ### Impact All applications that trust the custom headers set by Traefik are affected by this vulnerability. As an example, assume that a backend application trusts Traefik to validate client certificates and trusts therefore the values that are sent within the X-Forwarded-Tls-Client-Cert header, but does not validate the certificate anew. If the header is removed via the vulnerability, and the application framework allows for alternative names (e.g. by transforming the headers to lower case, and "-" to "_"), an attacker can place his own X_Forwarded_TLS_Client_Cert header in the request. This could lead to privilege escalation, as the attacker may put an (invalid) certificate in this header that would just be accepted by the application, but may contain other data than the certificate that is presented to Traefik for Client Certificate Authentication. Moreover, if the backend application uses any of the other custom headers for security-sensitive operations, the removal or modification of these headers may also security implications (e.g. access control bypass). The severity is the same as for [CVE-2022-31813](https://nvd.nist.gov/vuln/detail/CVE-2022-31813) for Apache HTTP Server, i.e. 9.8 Critical.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-beta3"
            },
            {
              "fixed": "3.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/traefik/traefik"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45410"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-348"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-19T14:48:10Z",
    "nvd_published_at": "2024-09-19T23:15:11Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThere is a vulnerability in Traefik that allows the client to remove the X-Forwarded headers (except the header X-Forwarded-For).\n\n### Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.9\n- https://github.com/traefik/traefik/releases/tag/v3.1.3\n\n### Workarounds\n\nNo workaround.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n### Summary\n\nWhen a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified.\n\nFor HTTP/1.1, however, it was found that some of theses custom headers can indeed be removed and in certain cases manipulated. The attack relies on the HTTP/1.1 behavior, that headers can be defined as hop-by-hop via the HTTP Connection header. By setting the following connection header, the X-Forwarded-Host header can, for example, be removed:\n\nConnection: close, X-Forwarded-Host\n\nDepending on how the receiving application handles such cases, security implications may arise. Moreover, some application frameworks (e.g. Django) first transform the \"-\" to \"_\" signs, making it possible for the HTTP client to even modify these headers in these cases.\n\nThis is similar to [CVE-2022-31813](https://nvd.nist.gov/vuln/detail/CVE-2022-31813) for Apache HTTP Server.\n\n### Details\n\nIt was found that the following headers can be removed in this way (i.e. by specifing them within a connection header):\n\n- X-Forwarded-Host\n- X-Forwarded-Port\n- X-Forwarded-Proto\n- X-Forwarded-Server\n- X-Real-Ip\n- X-Forwarded-Tls-Client-Cert\n- X-Forwarded-Tls-Client-Cert-Info\n\n### PoC\n\nThe following docker-compose file has been used for a simple setup:\n\n```\nservices:\n  traefik:\n    image: traefik:v3.1\n    container_name: traefik\n    ports:\n      - \"443:443\"\n    volumes:\n      - /var/run/docker.sock:/var/run/docker.sock:ro\n      - ./traefik.yaml:/etc/traefik/traefik.yaml\n      - ./traefik-certs:/certs\n\n  python-http:\n    build:\n      context: .\n      dockerfile: Dockerfile\n    container_name: python-http\n    labels:\n      - \"traefik.enable=true\"\n      - \"traefik.http.routers.python-http.rule=Host(`python.example.com`)\"\n      - \"traefik.http.routers.python-http.entrypoints=websecure\"\n      - \"traefik.http.routers.python-http.tls=true\"\n      - \"traefik.http.services.python-http.loadbalancer.server.port=8080\"\n```\n\nThe following traefik.yaml has been used:\n\n```\nproviders:\n  docker:\n    exposedByDefault: false\n    watch: true\n  file:\n    fileName: /etc/traefik/traefik.yaml\n    watch: true\n\nentryPoints:\n  websecure:\n    address: \":443\"\n\ntls:\n  certificates:\n    - certFile: /certs/server-cert.pem\n      keyFile: /certs/server-key.pem\n```\n\nThe Python container just includes a simple Python HTTP server that prints the HTTP headers it receives. Here is the Dockerfile for the container:\n\n```\nFROM python:3-alpine\n\n# Copy the Python script to the container\nCOPY server.py /server.py\n\n# Set the working directory\nWORKDIR /\n\n# Command to run the Python server\nCMD [\"python\", \"/server.py\"]\n```\n\nAnd here is the Python script:\n\n```\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\n\nclass RequestHandler(BaseHTTPRequestHandler):\n    def _send_response(self):\n        self.send_response(200)\n        self.send_header(\"Content-type\", \"text/plain\")\n        self.end_headers()\n        self.wfile.write(str(self.headers).encode(\"utf-8\"))\n\n    def do_GET(self):\n        self._send_response()\n\nif __name__ == \"__main__\":\n    server = HTTPServer((\u00270.0.0.0\u0027, 8080), RequestHandler)\n    print(\"Server started on port 8080\")\n    server.serve_forever()\n````\n\nThe environment is run with `sudo docker-compose up`.\n\nA normal HTTP request/response pair looks like this:\n\n**Request 1**\n\n````\nGET / HTTP/1.1\nHost: python.example.com\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nAccept-Encoding: gzip, deflate, br\nAccept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7\nPriority: u=0, i\nConnection: close\n````\n\n**Response 1**\n\n````\nHTTP/1.1 200 OK\nContent-Type: text/plain\nDate: Tue, 03 Sep 2024 06:53:49 GMT\nServer: BaseHTTP/0.6 Python/3.12.5\nConnection: close\nContent-Length: 556\n\nHost: python.example.com\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nAccept-Encoding: gzip, deflate, br\nAccept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7\nPriority: u=0, i\nX-Forwarded-For: 172.20.0.1\nX-Forwarded-Host: python.example.com\nX-Forwarded-Port: 443\nX-Forwarded-Proto: https\nX-Forwarded-Server: 3138fe4f0a2e\nX-Real-Ip: 172.20.0.1\n````\n\nThe custom headers added by Traefik can be seen in the response.\n\nNext, a request, where the X-Forwarded-Host header is defined as a hop-by-hop header via the Connection header is sent:\n\n**Request 2**\n\n````\nGET / HTTP/1.1\nHost: python.example.com\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nAccept-Encoding: gzip, deflate, br\nAccept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7\nPriority: u=0, i\nConnection: close, X-Forwarded-Host\n````\n\n**Response 2**\n\n````\nHost: python.example.com\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nAccept-Encoding: gzip, deflate, br\nAccept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7\nPriority: u=0, i\nX-Forwarded-For: 172.20.0.1\nX-Forwarded-Port: 443\nX-Forwarded-Proto: https\nX-Forwarded-Server: 3138fe4f0a2e\nX-Real-Ip: 172.20.0.1\n````\n\nAs can be seen from the response, the X-Forwarded-Host header that had been added by Traefik has been removed from the request.\n\nMoreover, the next request/response pair demonstrates that a custom header with underscore instead of hyphen can be added:\n\n**Request 3**\n\n````\nGET / HTTP/1.1\nHost: python.example.com\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nAccept-Encoding: gzip, deflate, br\nAccept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7\nPriority: u=0, i\nX_Forwarded_Host: myhost\nConnection: close, X-Forwarded-Host\n````\n\n**Response 3**\n\n````\nHTTP/1.1 200 OK\nContent-Type: text/plain\nDate: Tue, 03 Sep 2024 06:54:48 GMT\nServer: BaseHTTP/0.6 Python/3.12.5\nConnection: close\nContent-Length: 544\n\nHost: python.example.com\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nAccept-Encoding: gzip, deflate, br\nAccept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7\nPriority: u=0, i\nX-Forwarded-For: 172.20.0.1\nX-Forwarded-Port: 443\nX-Forwarded-Proto: https\nX-Forwarded-Server: 3138fe4f0a2e\nX-Real-Ip: 172.20.0.1\nX_forwarded_host: myhost\n````\n\nSome backend frameworks (e.g. Django) handle X-Forwarded-Host and X_forwarded_host in the same way. As there is no X-Forwarded-Host header present in the request, the X_forwarded_host header will be used. \n\nIt should be noted that when X-Forwarded-Host is present and a X_forwarded_host header is sent, usually the first occurence of the header will be used, which is in this case X-Forwarded-Host.\n\nIt should be noted that the headers X-Forwarded-Tls-Client-Cert and X-Forwarded-Tls-Client-Cert-Info are also affected. Here, client certificate authentication would need to be enabled in the Traefik setup.\n\n### Impact\n\nAll applications that trust the custom headers set by Traefik are affected by this vulnerability. As an example, assume that a backend application trusts Traefik to validate client certificates and trusts therefore the values that are sent within the X-Forwarded-Tls-Client-Cert header, but does not validate the certificate anew.\n\nIf the header is removed via the vulnerability, and the application framework allows for alternative names (e.g. by transforming the headers to lower case, and \"-\" to \"_\"), an attacker can place his own X_Forwarded_TLS_Client_Cert header in the request. This could lead to privilege escalation, as the attacker may put an (invalid) certificate in this header that would just be accepted by the application, but may contain other data than the certificate that is presented to Traefik for Client Certificate Authentication.\n\nMoreover, if the backend application uses any of the other custom headers for security-sensitive operations, the removal or modification of these headers may also security implications (e.g. access control bypass).\n\nThe severity is the same as for [CVE-2022-31813](https://nvd.nist.gov/vuln/detail/CVE-2022-31813) for Apache HTTP Server, i.e. 9.8 Critical.\n\u003c/details\u003e",
  "id": "GHSA-62c8-mh53-4cqv",
  "modified": "2024-09-25T19:29:53Z",
  "published": "2024-09-19T14:48:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45410"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/commit/584144100524277829f26219baaab29a53b8134f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/traefik/traefik"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v2.11.9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/traefik/traefik/releases/tag/v3.1.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "HTTP client can manipulate custom HTTP headers that are added by Traefik"
}

GHSA-62Q4-HC79-94QJ

Vulnerability from github – Published: 2024-11-14 15:32 – Updated: 2025-11-04 00:32
VLAI
Details

Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-10977"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-348"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-14T13:15:04Z",
    "severity": "LOW"
  },
  "details": "Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application.  For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results.  This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text.  Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.",
  "id": "GHSA-62q4-hc79-94qj",
  "modified": "2025-11-04T00:32:03Z",
  "published": "2024-11-14T15:32:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10977"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "https://www.postgresql.org/support/security/CVE-2024-10977"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-64R5-36HC-63P9

Vulnerability from github – Published: 2024-06-19 09:31 – Updated: 2024-06-19 09:31
VLAI
Details

The WP Maintenance plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 6.1.9.2 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to bypass maintenance mode.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0789"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-348"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-19T08:15:48Z",
    "severity": "MODERATE"
  },
  "details": "The WP Maintenance plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 6.1.9.2 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to bypass maintenance mode.",
  "id": "GHSA-64r5-36hc-63p9",
  "modified": "2024-06-19T09:31:17Z",
  "published": "2024-06-19T09:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0789"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3078682%40wp-maintenance%2Ftrunk\u0026old=3069916%40wp-maintenance%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f6bbaa1-c50f-4dad-9e5b-04bdffd4a0ae?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-65MW-H472-CFQ6

Vulnerability from github – Published: 2024-08-17 09:30 – Updated: 2024-08-17 09:30
VLAI
Details

The LOGIN AND REGISTRATION ATTEMPTS LIMIT plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address from logging in.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4532"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-348"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-17T08:15:04Z",
    "severity": "MODERATE"
  },
  "details": "The LOGIN AND REGISTRATION ATTEMPTS LIMIT plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address from logging in.",
  "id": "GHSA-65mw-h472-cfq6",
  "modified": "2024-08-17T09:30:23Z",
  "published": "2024-08-17T09:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4532"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/login-attempts-limit-wp/trunk/includes/Ip.php#L41"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50421e90-ccd6-4896-8041-b99279314301?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-72FG-F46J-5GVP

Vulnerability from github – Published: 2026-05-19 15:31 – Updated: 2026-05-19 15:31
VLAI
Details

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43634"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-348"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-19T15:16:31Z",
    "severity": "HIGH"
  },
  "details": "HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare\u0027s network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.",
  "id": "GHSA-72fg-f46j-5gvp",
  "modified": "2026-05-19T15:31:35Z",
  "published": "2026-05-19T15:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43634"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hestiacp/hestiacp/issues/5229"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hestiacp/hestiacp/pull/5273"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hestiacp/hestiacp/commit/f381e294500f671cf12716c638afd0bfde901f88"
    },
    {
      "type": "WEB",
      "url": "https://mercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-43633-cve-2026-43634"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/hestiacp-ip-spoofing-via-cf-connecting-ip-header"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-79JV-5226-783F

Vulnerability from github – Published: 2024-10-24 18:00 – Updated: 2024-10-30 19:03
VLAI
Summary
OpenRefine has a reflected cross-site scripting vulnerability (XSS) from POST request in ExportRowsCommand
Details

Summary

The export-rows command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request.

An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled Content-Type header, and so potentially executed in the victim's browser as if it was part of OpenRefine.

The attacker must know a valid project ID of a project that contains at least one row.

Details

The malicious form sets contentType to text/html (ExportRowsCommand.java line 101) and preview to true (line 107). This combination causes the browser to treat what OpenRefine thinks of as an export preview as a regular webpage.

It would be safer if the export-rows command did not allow overriding the Content-Type header at all, instead relying on the exporter to provide the correct Content-Type. It could also require a CSRF token. As an additional measure, it could add a Content-Security-Policy header to the response disabling scripts and such entirely.

At least the CSV exporter (separator and lineSeparator fields) and templating exporter (any field) are affected. It may also be possible to inject into the dateSettings.custom field or the SQL exporter default value field, if the project contains date or null cells.

PoC

An example form that demonstrates the issue is available on https://wandernauta.nl/os/.

Impact

Execution of arbitrary JavaScript in the user's browser. The attacker-provided code can do anything the user can do, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.openrefine:openrefine"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47880"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-348",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-24T18:00:06Z",
    "nvd_published_at": "2024-10-24T21:15:12Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request.\n\nAn attacker could lead a user to a malicious page that submits a form POST that contains  embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled `Content-Type` header, and so potentially executed in the victim\u0027s browser as if it was part of OpenRefine.\n\nThe attacker must know a valid project ID of a project that contains at least one row.\n\n### Details\n\nThe malicious form sets `contentType` to `text/html` (ExportRowsCommand.java line 101) and `preview` to `true` (line 107). This combination causes the browser to treat what OpenRefine thinks of as an export preview as a regular webpage.\n\nIt would be safer if the `export-rows` command did not allow overriding the Content-Type header at all, instead relying on the exporter to provide the correct Content-Type. It could also require a CSRF token. As an additional measure, it could add a Content-Security-Policy header to the response disabling scripts and such entirely.\n\nAt least the CSV exporter (`separator` and `lineSeparator` fields) and templating exporter (any field) are affected. It may also be possible to inject into the `dateSettings.custom` field or the SQL exporter default value field, if the project contains date or null cells.\n\n### PoC\n\nAn example form that demonstrates the issue is available on https://wandernauta.nl/os/.\n\n### Impact\n\nExecution of arbitrary JavaScript in the user\u0027s browser. The attacker-provided code can do anything the user can do, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present.",
  "id": "GHSA-79jv-5226-783f",
  "modified": "2024-10-30T19:03:19Z",
  "published": "2024-10-24T18:00:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-79jv-5226-783f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47880"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenRefine/OpenRefine/commit/8060477fa53842ebabf43b63e039745932fa629d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenRefine/OpenRefine"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenRefine has a reflected cross-site scripting vulnerability (XSS) from POST request in ExportRowsCommand"
}

GHSA-899R-9FXV-Q4XM

Vulnerability from github – Published: 2026-06-08 18:31 – Updated: 2026-06-08 21:31
VLAI
Details

OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-37248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-348"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-08T16:16:33Z",
    "severity": "MODERATE"
  },
  "details": "OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.",
  "id": "GHSA-899r-9fxv-q4xm",
  "modified": "2026-06-08T21:31:49Z",
  "published": "2026-06-08T18:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37248"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OfflineIMAP/offlineimap/issues/669"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OfflineIMAP/offlineimap3/issues/222"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OfflineIMAP/offlineimap3/commit/46505c53ef995455d66c685f9ec3ff6ea93dbb74"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/offlineimap/#history"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/08/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-8P2X-5CPM-QRQW

Vulnerability from github – Published: 2026-03-25 19:54 – Updated: 2026-03-25 19:54
VLAI
Summary
AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()
Details

Summary

The getRealIpAddr() function in objects/functions.php trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging.

Vulnerable Code

File: objects/functions.php

$headers = [
    'HTTP_X_REAL_IP',      
    'HTTP_CLIENT_IP',    
    'HTTP_X_FORWARDED_FOR',
    'REMOTE_ADDR'
];

foreach ($headers as $header) {
    if (!empty($_SERVER[$header])) {
        $ips = explode(',', $_SERVER[$header]);
        foreach ($ips as $ipCandidate) {
            $ipCandidate = trim($ipCandidate);
            if (filter_var($ipCandidate, FILTER_VALIDATE_IP, 
                           FILTER_FLAG_IPV4)) {
                return $ipCandidate; 
            }
        }
    }
}

Attack Scenario

  1. Attacker sends request with forged header:
X-Client-IP: 127.0.0.1

or

X-Real-IP: 192.168.1.1
  1. getRealIpAddr() returns the forged IP
  2. Any IP-based rate limiting, access control, or audit log that relies on this function is bypassed

Proof of Concept

curl -H "X-Client-IP: 127.0.0.1" \
     https://target.com/any_endpoint.php

The server now believes the request came from localhost.

Impact

  • Bypass IP-based rate limiting
  • Bypass IP-based access controls
  • Forge audit log entries
  • Potential privilege escalation if localhost is trusted
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33690"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-348"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T19:54:42Z",
    "nvd_published_at": "2026-03-23T19:16:42Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client\u0027s IP address. \nAn attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging.\n\n## Vulnerable Code\n\nFile: `objects/functions.php`\n```php\n$headers = [\n    \u0027HTTP_X_REAL_IP\u0027,      \n    \u0027HTTP_CLIENT_IP\u0027,    \n    \u0027HTTP_X_FORWARDED_FOR\u0027,\n    \u0027REMOTE_ADDR\u0027\n];\n\nforeach ($headers as $header) {\n    if (!empty($_SERVER[$header])) {\n        $ips = explode(\u0027,\u0027, $_SERVER[$header]);\n        foreach ($ips as $ipCandidate) {\n            $ipCandidate = trim($ipCandidate);\n            if (filter_var($ipCandidate, FILTER_VALIDATE_IP, \n                           FILTER_FLAG_IPV4)) {\n                return $ipCandidate; \n            }\n        }\n    }\n}\n```\n\n## Attack Scenario\n\n1. Attacker sends request with forged header:\n```\nX-Client-IP: 127.0.0.1\n```\nor\n```\nX-Real-IP: 192.168.1.1\n```\n\n2. `getRealIpAddr()` returns the forged IP\n3. Any IP-based rate limiting, access control, or audit \n   log that relies on this function is bypassed\n\n## Proof of Concept\n```bash\ncurl -H \"X-Client-IP: 127.0.0.1\" \\\n     https://target.com/any_endpoint.php\n```\n\nThe server now believes the request came from localhost.\n\n## Impact\n- Bypass IP-based rate limiting\n- Bypass IP-based access controls\n- Forge audit log entries\n- Potential privilege escalation if localhost is trusted",
  "id": "GHSA-8p2x-5cpm-qrqw",
  "modified": "2026-03-25T19:54:42Z",
  "published": "2026-03-25T19:54:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8p2x-5cpm-qrqw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33690"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()"
}

No mitigation information available for this CWE.

CAPEC-141: Cache Poisoning

An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.

CAPEC-142: DNS Cache Poisoning

A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.

CAPEC-73: User-Controlled Filename

An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

CAPEC-85: AJAX Footprinting

This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.