CVE-2025-66508
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 1panel | 1panel | 2.0.14 |
| fit2cloud | 1panel | to 2.0.14 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in 1Panel versions 2.0.14 and below, where the software uses Gin's default configuration that trusts all IP addresses as proxies. This allows any client to spoof the X-Forwarded-For header. Since the application relies on the ClientIP() function for IP-based access controls, attackers can bypass these protections by sending a forged X-Forwarded-For header with a whitelisted IP address, such as 127.0.0.1. As a result, all IP-based security controls become ineffective.
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass IP-based security controls like AllowIPs, API whitelists, and localhost-only checks by spoofing trusted IP addresses. This means unauthorized users could gain access to restricted areas or functionalities of the 1Panel control panel, potentially leading to unauthorized management of Linux servers and exposure of sensitive information.
What immediate steps should I take to mitigate this vulnerability?
Upgrade 1Panel to version 2.0.14 or later, as this version fixes the issue by changing the default TrustedProxies configuration to prevent trusting all IP addresses as proxies. Until the upgrade, avoid relying solely on IP-based access controls since they can be bypassed by spoofing the X-Forwarded-For header.