GHSA-7cqv-qcq2-r765
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7cqv-qcq2-r765
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-7cqv-qcq2-r765/GHSA-7cqv-qcq2-r765.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-7cqv-qcq2-r765
- Aliases
-
- CVE-2025-66508
- Published
- 2025-12-08T17:56:57Z
- Modified
- 2025-12-08T18:11:15.738531Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- 1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers
- Details
-
Summary
The server trusts all reverse-proxy headers by default, so any remote client can spoof
X-Forwarded-Forto bypass IP-based protections (AllowIPs, API IP whitelist, “localhost-only” checks). All IP-based access control becomes ineffective.Details
Gin is created with defaults (
gin.Default()), which setsTrustedProxies = 0.0.0.0/0and usesX-Forwarded-For/X-Real-IPto computeClientIP().IP-based controls rely on
ClientIP():- AllowIPs / BindDomain (core/middleware/ip_limit.go, core/utils/security/security.go).
- API IP whitelist (core/middleware/api_auth.go).
- "localhost-only" checks that depend on
ClientIP().
Because no trusted-proxy range is enforced, any client can send
X-Forwarded-For: 127.0.0.1(or a whitelisted IP) and be treated as coming from that address.
Impact
All IP-based access control is rendered ineffective: remote clients can masquerade as localhost or any whitelisted IP, defeating AllowIPs, API IP whitelists, and “localhost-only” protections.
- Database specific
{ "github_reviewed": true, "nvd_published_at": null, "severity": "MODERATE", "cwe_ids": [ "CWE-290" ], "github_reviewed_at": "2025-12-08T17:56:57Z" }- References
Affected packages
Go / github.com/1Panel-dev/1Panel
Package
- Name
- github.com/1Panel-dev/1Panel
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/1Panel-dev/1Panel
Go / github.com/1Panel-dev/1Panel/agent
Package
- Name
- github.com/1Panel-dev/1Panel/agent
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/1Panel-dev/1Panel/agent