PT-2026-55842 · Go · Github.Com/Go-Chi/Chi/Middleware+4
Publicado
2026-06-25
·
Atualizado
2026-06-25
CVSS v4.0
7.7
Alta
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P |
Summary
The vulnerability allows the
Request.RemoteAddr to be spoofed when determining the request source IP via the X-Forwarded-For header. This could result in misidentification of the request source and potentially compromise access control and logging integrity.Details
Currently, the
RealIP() implementation splits the X-Forwarded-For header by , and uses the first IP.
https://github.com/go-chi/chi/blob/v5.1.0/middleware/realip.go#L50-L54However, relying on the first IP in the
X-Forwarded-For header is insecure because it can be manipulated by attackers to falsify the source IP.Malicious Case:
- A malicious client sends a request with a forged IP in the X-Forwarded-For header:
X-Forwarded-For: <forged-ip> - The proxy appends the actual client’s IP and forwards the request:
X-Forwarded-For: <forged-ip>,<client-ip> - If the server always uses the first IP, it becomes vulnerable to IP spoofing.
Ideally, the implementation should verify IPs starting from the end of the
X-Forwarded-For header value, skipping trusted IPs within the system, and using the first untrusted IP as the actual client IP.For example, the
labstack/echo web framework processes the X-Forwarded-For header by checking IPs from the end, skipping trusted IPs, and using the first untrusted IP as the client's ip.
https://github.com/labstack/echo/blob/v4.13.2/ip.go#L261-L273PoC
1. Run the Go application with the following code:
go
package main
import (
"fmt"
"log"
"net/http"
"github.com/go-chi/chi/v5/middleware"
)
func main() {
// Set handler to print the remote address
handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
fmt.Fprintln(
w,
fmt.Sprintf("remote addr: %s (want 192.0.2.1)", r.RemoteAddr),
)
})
// Use RealIP middleware
log.Fatal(http.ListenAndServe(":8080", middleware.RealIP(handler)))
}2. Send a request to the server using curl with a manipulated X-Forwarded-For header:
$ curl localhost:8080 -H 'X-Forwarded-For: 192.0.2.2, 192.0.2.1'
remote addr: 192.0.2.2 (want 192.0.2.1)Impact
This vulnerability can lead to a request source IP spoofing issue, which may allow attackers to bypass access controls or falsify request logs. It primarily affects systems that rely on X-Forwarded-For to determine the actual client IP, particularly in scenarios where intermediary proxies or load balancers are involved.
Correção
Origin Validation Error
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Github.Com/Go-Chi/Chi/Middleware
Github.Com/Go-Chi/Chi/V2/Middleware
Github.Com/Go-Chi/Chi/V3/Middleware
Github.Com/Go-Chi/Chi/V4/Middleware
Github.Com/Go-Chi/Chi/V5/Middleware