CVE-2026-45045
Received Received - Intake

Header Injection via X-Real-IP in Fiber Go Framework

Vulnerability report for CVE-2026-45045, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Fiber is an Express inspired web framework written in Go. Prior to 3.3.0 and 2.52.14, the BalancerForward proxy helper in middleware/proxy/proxy.go uses Header.Add() instead of Header.Set() when injecting X-Real-IP, allowing an attacker-supplied first X-Real-IP value to be forwarded to upstream servers for logging, rate limiting, and access control. This issue is fixed in version 3.3.0 and 2.52.14.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
gofiber fiber to 3.3.0 (exc)
gofiber fiber 3.3.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-45045 is a security vulnerability in the Fiber web framework, which is written in Go. The issue occurs in the BalancerForward proxy middleware where the code uses Header.Add() instead of Header.Set() to handle the X-Real-IP header. This causes the middleware to append attacker-supplied X-Real-IP values instead of overwriting them. As a result, an attacker can spoof the X-Real-IP header by injecting a malicious IP address that is forwarded as the first value to upstream servers.

Upstream servers that rely on the first X-Real-IP header value for logging, rate limiting, or access control may trust the attacker-controlled IP, leading to security bypasses. The vulnerability was fixed by changing the method from Header.Add() to Header.Set(), ensuring the real client IP overwrites any spoofed header.

Mitigation Strategies

The immediate mitigation step is to update the Fiber web framework to a fixed version where the vulnerability is resolved.

  • Upgrade to Fiber version 3.3.0 or later if you are using the v3 branch.
  • If you are using the v2 branch, upgrade to version 2.52.14 or later, which includes the backported fix.

The fix changes the proxy middleware's BalancerForward implementation to use Header.Set() instead of Header.Add() when setting the X-Real-IP header, ensuring that the real client IP overwrites any attacker-supplied values.

Additionally, review your upstream server configurations to ensure they do not trust the first X-Real-IP header blindly and consider implementing additional validation or filtering of client IP headers.

Compliance Impact

The vulnerability allows attackers to spoof the X-Real-IP header, causing upstream servers to log, rate limit, or control access based on a falsified client IP address.

This can lead to bypassing IP-based rate limits, internal IP allowlists, audit logs, and geolocation restrictions.

Such manipulation of logging and access control mechanisms can undermine the integrity and reliability of security controls and audit trails, which are critical for compliance with standards like GDPR and HIPAA that require accurate logging and access control.

Therefore, this vulnerability could negatively impact compliance by allowing attackers to evade detection and access restrictions that rely on accurate client IP information.

Impact Analysis

This vulnerability can allow attackers to spoof their IP address by injecting a fake X-Real-IP header that is forwarded to upstream servers as the first value. This can impact security mechanisms that rely on the client IP, such as logging, rate limiting, access control, and geolocation restrictions.

  • Bypassing IP-based rate limits, allowing attackers to evade throttling.
  • Circumventing internal IP allowlists or access control lists that restrict access based on IP.
  • Tampering with audit logs by making malicious requests appear to come from trusted IPs.
  • Evading geolocation-based restrictions or policies.
Detection Guidance

This vulnerability involves the improper handling of the X-Real-IP header in the Fiber web framework's proxy middleware, where attacker-supplied X-Real-IP values can be forwarded to upstream servers. To detect this on your network or system, you can monitor HTTP requests and responses for multiple X-Real-IP headers or suspicious IP values in the first X-Real-IP header.

One approach is to capture and inspect HTTP traffic to see if the X-Real-IP header contains multiple IP addresses or unexpected values that could indicate header spoofing.

Example commands to detect suspicious X-Real-IP headers might include:

  • Using tcpdump to capture HTTP traffic on port 80 or 443: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'X-Real-IP'
  • Using curl to send a request with a custom X-Real-IP header and observe the response or logs: curl -H 'X-Real-IP: attacker-ip' http://your-fiber-app
  • Checking your upstream server logs (e.g., nginx) for multiple or suspicious X-Real-IP header values.

Since the vulnerability allows an attacker to append X-Real-IP headers, detection involves identifying if your system or upstream servers are trusting the first X-Real-IP header value, which might be attacker-controlled.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45045. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart