Skip to content

IP allowlist bypass via spoofed forwarded IP headers #2

New issue
New issue
Open
Open
IP allowlist bypass via spoofed forwarded IP headers#2
@Tibinsunny

Description

@Tibinsunny
Tibinsunny
opened on Jan 9, 2026

Summary

I was able to bypass the IP allowlist protection on a restricted endpoint by manipulating client-supplied IP forwarding headers. This indicates that the application trusts forwarded IP headers without validating that the request actually originates from a trusted proxy.

Impact

This issue can allow an attacker to:

  • Bypass IP-based access restrictions
  • Access endpoints intended to be protected by network allowlisting

You can curl the api with a custom X-Forwarded-For Header with the allowed IP address from anywhere making the file accessible.

curl -H "X-Forwarded-For:10.0.0.1" http://localhost:8089/api/docs/view/<UUID>

X-Forwarded-For just replace it with the whitelisted IP

POC video
https://youtu.be/eRnTd-0vuB4

Root Cause

The IP validation logic appears to:

  • Trust forwarded IP headers provided by the client
  • Not restrict the use of these headers to a trusted reverse proxy or load balancer

As a result, the perceived client IP can be influenced by the requester.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions