CVE-2023-50463

Name of the Vulnerable Software and Affected Versions caddy-geo-ip versions 0.6.0 and earlier for Caddy 2

Description The issue allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism, such as the trusted proxy directive in reverse proxy or IP address range restrictions, when trust header X-Forwarded-For is used.

Recommendations For caddy-geo-ip versions 0.6.0 and earlier, consider disabling the trust header X-Forwarded-For until a patch is available to prevent attackers from spoofing their source IP address. Restrict access to the reverse proxy directive to minimize the risk of exploitation. Avoid using the X-Forwarded-For header in the affected middleware until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.