Launch Week Day 1: Announcing Security Design Review
Start for Free
MEDIUM 6.5 Go

1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers

GHSA-7cqv-qcq2-r765 · CVE-2025-66508 · GO-2025-4207

Published · Modified

Description

Summary

The server trusts all reverse-proxy headers by default, so any remote client can spoof X-Forwarded-For to bypass IP-based protections (AllowIPs, API IP whitelist, “localhost-only” checks). All IP-based access control becomes ineffective.

Details

  • Gin is created with defaults (gin.Default()), which sets TrustedProxies = 0.0.0.0/0 and uses X-Forwarded-For/X-Real-IP to compute ClientIP().

  • IP-based controls rely on ClientIP():

    • AllowIPs / BindDomain (core/middleware/ip_limit.go, core/utils/security/security.go).
    • API IP whitelist (core/middleware/api_auth.go).
    • "localhost-only" checks that depend on ClientIP().

  • Because no trusted-proxy range is enforced, any client can send X-Forwarded-For: 127.0.0.1 (or a whitelisted IP) and be treated as coming from that address.

Impact

All IP-based access control is rendered ineffective: remote clients can masquerade as localhost or any whitelisted IP, defeating AllowIPs, API IP whitelists, and “localhost-only” protections.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes