CVE-2026-45045
ADVISORY - githubSummary
Summary
The BalancerForward proxy helper in GoFiber uses Header.Add() instead of Header.Set() when injecting the X-Real-IP header. This appends the real client IP as a second header value rather than replacing any attacker-supplied value. Upstream servers that read the first X-Real-IP header (nginx, Express, most HTTP servers) use the attacker's spoofed IP for logging, rate limiting, and access control.
Vulnerable Code
File: middleware/proxy/proxy.go, lines 270-285
func BalancerForward(servers []string, clients ...*fasthttp.Client) fiber.Handler {
r := &roundrobin{
current: 0,
pool: servers,
}
return func(c fiber.Ctx) error {
server := r.get()
if !strings.HasPrefix(server, "http") {
server = "http://" + server
}
c.Request().Header.Add("X-Real-IP", c.IP()) // line 282: Add, not Set
return Do(c, server+c.OriginalURL(), clients...)
}
}
Data Flow
- Attacker sends request with
X-Real-IP: 10.0.0.1(spoofed internal IP) BalancerForwardhandler executes at line 282c.Request().Header.Add("X-Real-IP", c.IP())APPENDS the real IP as a second header- Upstream server receives:
X-Real-IP: 10.0.0.1ANDX-Real-IP: <real-attacker-ip> - Most HTTP servers (nginx, Node.js, Apache) read the FIRST value
- Upstream uses
10.0.0.1for all IP-dependent logic
Impact
- Rate limit bypass: IP-based rate limiting at the upstream uses the spoofed IP, allowing unlimited requests
- IP ACL bypass: Internal IP allowlists (e.g., admin panels restricted to
10.0.0.0/8) can be bypassed - Audit log poisoning: Security logs record the spoofed IP, making incident investigation unreliable
- Geolocation bypass: IP-based geofencing or region restrictions are circumvented
Fix
Replace Header.Add() with Header.Set() at line 282:
c.Request().Header.Set("X-Real-IP", c.IP())
Header.Set() replaces any existing header value, ensuring only the real client IP is forwarded.
Common Weakness Enumeration (CWE)
ADVISORY - github
Authentication Bypass by Spoofing
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in