Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog Latest Updates Security News
Sign In Sign Up

CVE-2025-48865

CRITICAL
Published 2025-05-30T06:14:45.819Z
Actions:

CVSS Score

V3.1
9.1
/10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score Metrics
Exploitability: N/A Impact: N/A

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED

Impact Metrics

Confidentiality
HIGH
Integrity
HIGH
Availability
NONE

Description

Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should trust these headers, allowing HTTP clients to remove or modify them creates potential security vulnerabilities. Some of these custom headers can be removed and, in certain cases, manipulated. The attack relies on the behavior that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been patched in version 1.6.6.

Available Exploits

No exploits available for this CVE.

Related News

Critical Flaw in Fabio Load Balancer Allows HTTP Header Tampering & Access Bypass

The post Critical Flaw in Fabio Load Balancer Allows HTTP Header Tampering & Access Bypass appeared first on Daily CyberSecurity.

SecurityOnline.info 2025-06-02 00:39
Read More

Affected Products

fabiolb

fabio

Affected Versions:

< 1.6.6

References

https://github.com/fabiolb/fabio/security/advisories/GHSA-q7p4-7xjv-j3wf
https://github.com/fabiolb/fabio/commit/fdaf1e966162e9dd3b347ffdd0647b39dc71a1a3
https://github.com/fabiolb/fabio/releases/tag/v1.6.6
Published: 2025-05-30T06:14:45.819Z
Last Modified: 2025-05-30T12:24:19.086Z
Copied to clipboard!