CVE-2026-45045

ADVISORY - github

Summary

Summary

The BalancerForward proxy helper in GoFiber uses Header.Add() instead of Header.Set() when injecting the X-Real-IP header. This appends the real client IP as a second header value rather than replacing any attacker-supplied value. Upstream servers that read the first X-Real-IP header (nginx, Express, most HTTP servers) use the attacker's spoofed IP for logging, rate limiting, and access control.

Vulnerable Code

File: middleware/proxy/proxy.go, lines 270-285

func BalancerForward(servers []string, clients ...*fasthttp.Client) fiber.Handler {
    r := &roundrobin{
        current: 0,
        pool:    servers,
    }
    return func(c fiber.Ctx) error {
        server := r.get()
        if !strings.HasPrefix(server, "http") {
            server = "http://" + server
        }
        c.Request().Header.Add("X-Real-IP", c.IP())   // line 282: Add, not Set
        return Do(c, server+c.OriginalURL(), clients...)
    }
}

Data Flow

  1. Attacker sends request with X-Real-IP: 10.0.0.1 (spoofed internal IP)
  2. BalancerForward handler executes at line 282
  3. c.Request().Header.Add("X-Real-IP", c.IP()) APPENDS the real IP as a second header
  4. Upstream server receives: X-Real-IP: 10.0.0.1 AND X-Real-IP: <real-attacker-ip>
  5. Most HTTP servers (nginx, Node.js, Apache) read the FIRST value
  6. Upstream uses 10.0.0.1 for all IP-dependent logic

Impact

  • Rate limit bypass: IP-based rate limiting at the upstream uses the spoofed IP, allowing unlimited requests
  • IP ACL bypass: Internal IP allowlists (e.g., admin panels restricted to 10.0.0.0/8) can be bypassed
  • Audit log poisoning: Security logs record the spoofed IP, making incident investigation unreliable
  • Geolocation bypass: IP-based geofencing or region restrictions are circumvented

Fix

Replace Header.Add() with Header.Set() at line 282:

c.Request().Header.Set("X-Real-IP", c.IP())

Header.Set() replaces any existing header value, ensuring only the real client IP is forwarded.

Common Weakness Enumeration (CWE)

ADVISORY - github

Authentication Bypass by Spoofing


Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in