Skip to main content

GoFiber EUVDEUVD-2026-42351

| CVE-2026-45045 MEDIUM
Authentication Bypass by Spoofing (CWE-290)
2026-07-02 https://github.com/gofiber/fiber GHSA-gcfq-8gqf-4876
5.3
CVSS 3.1 · Vendor: https://github.com/gofiber/fiber
Share

Severity by source

Vendor (https://github.com/gofiber/fiber) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

No credentials or special conditions needed beyond sending an HTTP header; integrity is Low because only IP-dependent control decisions at upstream are manipulated, not data directly.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (https://github.com/gofiber/fiber).

CVSS VectorVendor: https://github.com/gofiber/fiber

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 15:01 vuln.today
CVE Published
Jul 02, 2026 - 13:50 github-advisory
MEDIUM 5.3

DescriptionCVE.org

Summary

The BalancerForward proxy helper in GoFiber uses Header.Add() instead of Header.Set() when injecting the X-Real-IP header. This appends the real client IP as a second header value rather than replacing any attacker-supplied value. Upstream servers that read the first X-Real-IP header (nginx, Express, most HTTP servers) use the attacker's spoofed IP for logging, rate limiting, and access control.

Vulnerable Code

File: middleware/proxy/proxy.go, lines 270-285

go
func BalancerForward(servers []string, clients ...*fasthttp.Client) fiber.Handler {
    r := &roundrobin{
        current: 0,
        pool:    servers,
    }
    return func(c fiber.Ctx) error {
        server := r.get()
        if !strings.HasPrefix(server, "http") {
            server = "http://" + server
        }
        c.Request().Header.Add("X-Real-IP", c.IP())   // line 282: Add, not Set
        return Do(c, server+c.OriginalURL(), clients...)
    }
}

Data Flow

  1. Attacker sends request with X-Real-IP: 10.0.0.1 (spoofed internal IP)
  2. BalancerForward handler executes at line 282
  3. c.Request().Header.Add("X-Real-IP", c.IP()) APPENDS the real IP as a second header
  4. Upstream server receives: X-Real-IP: 10.0.0.1 AND X-Real-IP: <real-attacker-ip>
  5. Most HTTP servers (nginx, Node.js, Apache) read the FIRST value
  6. Upstream uses 10.0.0.1 for all IP-dependent logic

Impact

  • Rate limit bypass: IP-based rate limiting at the upstream uses the spoofed IP, allowing unlimited requests
  • IP ACL bypass: Internal IP allowlists (e.g., admin panels restricted to 10.0.0.0/8) can be bypassed
  • Audit log poisoning: Security logs record the spoofed IP, making incident investigation unreliable
  • Geolocation bypass: IP-based geofencing or region restrictions are circumvented

Fix

Replace Header.Add() with Header.Set() at line 282:

go
c.Request().Header.Set("X-Real-IP", c.IP())

Header.Set() replaces any existing header value, ensuring only the real client IP is forwarded.

AnalysisAI

IP header spoofing in GoFiber's BalancerForward proxy middleware allows any remote unauthenticated attacker to inject a forged X-Real-IP header that upstream servers treat as authoritative. The middleware calls Header.Add() rather than Header.Set() when stamping the real client IP, causing the attacker-supplied value to remain as the first header instance - the one read by nginx, Express, Apache, and most HTTP servers for rate limiting, IP-based ACLs, and audit logging. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send HTTP request with forged X-Real-IP header
Delivery
GoFiber BalancerForward appends real IP without removing spoofed value
Exploit
Upstream receives attacker-controlled first X-Real-IP header
Execution
Upstream resolves first header occurrence as authoritative IP
Impact
Bypass IP-based ACL or rate limit at upstream service

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application uses GoFiber's BalancerForward middleware specifically; other GoFiber proxy helpers sharing the same codebase but not calling this function are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) accurately reflects low complexity and no authentication requirement but conservatively scores integrity impact as Low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends an HTTP GET request to a GoFiber BalancerForward proxy with the header X-Real-IP: 10.0.0.1 set to a spoofed internal IP associated with a privileged allow-list. The BalancerForward middleware appends the attacker's real IP as a second X-Real-IP value, forwarding both to the upstream server. …
Remediation The fix is a one-line change: replace Header.Add("X-Real-IP", c.IP()) with Header.Set("X-Real-IP", c.IP()) at line 282 of middleware/proxy/proxy.go. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

EUVD-2026-42351 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy