30 matches found
CVE-2026-55430
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the workspace app proxy resolves the target app from httpapi.RequestHost which prefers the X-Forwarded-Host header over the real Host header. No middleware...
IP Address Spoofing
Spring Cloud Gateway is vulnerable to IP Address Spoofing. The vulnerability is due to improper trust of X-Forwarded-For and Forwarded headers from untrusted proxies, allowing attackers to supply forged client IP information that may be used by downstream applications for security decisions,...
EUVD-2026-37000
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers. Affected versions: Spring Cloud Gateway 3.1.x fix 3.1.13. Spring Cloud Gateway 4.1.x fix 4.1.13. Spri...
CVE-2026-47825 Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies in certain situations
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers. Affected versions: Spring Cloud Gateway 3.1.x fix 3.1.13. Spring Cloud Gateway 4.1.x fix 4.1.13. Spri...
CVE-2026-47825
The CVE affects Spring Cloud Gateway Server components (WebMVC and WebFlux gateways) where headers from untrusted proxies (X-Forwarded-For, Forwarded) are forwarded in certain configurations. Root cause: forwarded-header handling without a trusted-proxy basis allows forged headers to reach downst...
PT-2026-49468
Name of the Vulnerable Software and Affected Versions Spring Cloud Gateway versions prior to 3.1.13 Spring Cloud Gateway versions prior to 4.1.13 Spring Cloud Gateway versions prior to 4.2.9 Spring Cloud Gateway versions prior to 4.3.5 Spring Cloud Gateway versions prior to 5.0.2 Description Spri...
Use of Less Trusted Source
Overview Affected versions of this package are vulnerable to Use of Less Trusted Source. Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded request headers it receives from untrusted proxies to downstream services. Both the WebFlux and WebMVC Gateway Servers process these...
CVE-2026-47825: Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies in certain situations
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers...
PYSEC-2026-125
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the setsessioncookiesecure beforerequest handler in src/pyload/webui/app/init.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted prox...
Cleartext Transmission of Sensitive Information
Overview Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information in the process of establishing HTTPS tunnels through a configured HTTP proxy. An attacker can intercept sensitive session cookies by performing a man-in-the-middle attack or by controlling...
CVE-2025-66508
1Panel (GitHub/Governance: 1Panel) contains a vulnerability where Gin’s default proxy trust config (TrustedProxies = 0.0.0.0/0) causes X-Forwarded-For headers to be trusted, letting attackers bypass IP-based access controls (AllowIPs, API whitelists, localhost checks) by sending X-Forwarded-For: ...
GHSA-HM36-FFRH-C77C Litestar X-Forwarded-For Header Spoofing Vulnerability Enables Rate Limit Evasion
While testing Litestar's RateLimitMiddleware, I discovered that rate limits can be completely bypassed by manipulating the X-Forwarded-For header. This renders IP-based rate limiting ineffective against determined attackers. The Problem Litestar's RateLimitMiddleware uses cachekeyfromrequest to...
EUVD-2025-16457
Malicious code in bioql PyPI...
Security Bulletin: IBM watsonx Orchestrate Cartridge affected by vulnerability in spring-cloud-starter-gateway-4.1.7.jar
Summary IBM watsonx Orchestrate Cartridge contains a vulnerable version of spring-cloud-starter-gateway-4.1.7.jar Vulnerability Details CVEID:CVE-2025-41235 DESCRIPTION: Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies. CWE:CWE-444: Inconsisten...
Spoofing Attack
org.springframework.cloud, spring-cloud-gateway-server is vulnerable to Spoofing Attack. The vulnerability is due to insufficient validation of X-Forwarded-For and Forwarded headers from untrusted proxies, allowing attackers to spoof client IP addresses...
CVE-2025-41235
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies...
Unintended Proxy or Intermediary ('Confused Deputy')
Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' due to the improper validation of X-Forwarded-For and Forwarded headers forwarded from untrusted proxies. An attacker can manipulate the server's behavior by sending crafted headers fro...
GHSA-6J2Q-C73V-97C5 Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies...
Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies...
CVE-2025-41235
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies...