PT-2026-55842 · Go · Github.Com/Go-Chi/Chi/Middleware+4

Publicado

2026-06-25

·

Atualizado

2026-06-25

CVSS v4.0

7.7

Alta

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Summary

The vulnerability allows the Request.RemoteAddr to be spoofed when determining the request source IP via the X-Forwarded-For header. This could result in misidentification of the request source and potentially compromise access control and logging integrity.

Details

Currently, the RealIP() implementation splits the X-Forwarded-For header by , and uses the first IP. https://github.com/go-chi/chi/blob/v5.1.0/middleware/realip.go#L50-L54
However, relying on the first IP in the X-Forwarded-For header is insecure because it can be manipulated by attackers to falsify the source IP.
Malicious Case:
  1. A malicious client sends a request with a forged IP in the X-Forwarded-For header: X-Forwarded-For: <forged-ip>
  2. The proxy appends the actual client’s IP and forwards the request: X-Forwarded-For: <forged-ip>,<client-ip>
  3. If the server always uses the first IP, it becomes vulnerable to IP spoofing.
Ideally, the implementation should verify IPs starting from the end of the X-Forwarded-For header value, skipping trusted IPs within the system, and using the first untrusted IP as the actual client IP.
For example, the labstack/echo web framework processes the X-Forwarded-For header by checking IPs from the end, skipping trusted IPs, and using the first untrusted IP as the client's ip. https://github.com/labstack/echo/blob/v4.13.2/ip.go#L261-L273

PoC

1. Run the Go application with the following code:

go
package main

import (
  "fmt"
  "log"
  "net/http"

  "github.com/go-chi/chi/v5/middleware"
)

func main() {
  // Set handler to print the remote address
  handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    fmt.Fprintln(
      w,
      fmt.Sprintf("remote addr: %s (want 192.0.2.1)", r.RemoteAddr),
    )
  })
  // Use RealIP middleware
  log.Fatal(http.ListenAndServe(":8080", middleware.RealIP(handler)))
}

2. Send a request to the server using curl with a manipulated X-Forwarded-For header:

$ curl localhost:8080 -H 'X-Forwarded-For: 192.0.2.2, 192.0.2.1'
remote addr: 192.0.2.2 (want 192.0.2.1)

Impact

This vulnerability can lead to a request source IP spoofing issue, which may allow attackers to bypass access controls or falsify request logs. It primarily affects systems that rely on X-Forwarded-For to determine the actual client IP, particularly in scenarios where intermediary proxies or load balancers are involved.

Correção

Origin Validation Error

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

GHSA-9G5Q-2W5X-HMXF

Produtos afetados

Github.Com/Go-Chi/Chi/Middleware
Github.Com/Go-Chi/Chi/V2/Middleware
Github.Com/Go-Chi/Chi/V3/Middleware
Github.Com/Go-Chi/Chi/V4/Middleware
Github.Com/Go-Chi/Chi/V5/Middleware