CVE-2025-66508
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-09

Last updated on: 2025-12-10

Assigner: GitHub, Inc.

Description
1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.14 and below use Gin's default configuration which trusts all IP addresses as proxies (TrustedProxies = 0.0.0.0/0), allowing any client to spoof the X-Forwarded-For header. Since all IP-based access controls (AllowIPs, API whitelists, localhost-only checks) rely on ClientIP(), attackers can bypass these protections by simply sending X-Forwarded-For: 127.0.0.1 or any whitelisted IP. This renders all IP-based security controls ineffective. This issue is fixed in version 2.0.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-09
Last Modified
2025-12-10
Generated
2026-06-16
AI Q&A
2025-12-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66508
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
1panel 1panel 2.0.14
fit2cloud 1panel to 2.0.14 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in 1Panel versions 2.0.14 and below, where the software uses Gin's default configuration that trusts all IP addresses as proxies. This allows any client to spoof the X-Forwarded-For header. Since the application relies on the ClientIP() function for IP-based access controls, attackers can bypass these protections by sending a forged X-Forwarded-For header with a whitelisted IP address, such as 127.0.0.1. As a result, all IP-based security controls become ineffective.

Impact Analysis

This vulnerability can allow attackers to bypass IP-based security controls like AllowIPs, API whitelists, and localhost-only checks by spoofing trusted IP addresses. This means unauthorized users could gain access to restricted areas or functionalities of the 1Panel control panel, potentially leading to unauthorized management of Linux servers and exposure of sensitive information.

Mitigation Strategies

Upgrade 1Panel to version 2.0.14 or later, as this version fixes the issue by changing the default TrustedProxies configuration to prevent trusting all IP addresses as proxies. Until the upgrade, avoid relying solely on IP-based access controls since they can be bypassed by spoofing the X-Forwarded-For header.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66508. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart