CVE-2025-48865

Name of the Vulnerable Software and Affected Versions Fabio versions prior to 1.6.6

Description Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. A vulnerability in how it processes hop-by-hop headers allows clients to remove X-Forwarded headers (except X-Forwarded-For). This creates potential security vulnerabilities as the receiving application should trust these headers. The attack relies on the behavior that headers can be defined as hop-by-hop via the HTTP Connection header. Some custom headers can be removed and, in certain cases, manipulated.

Recommendations For versions prior to 1.6.6, update to version 1.6.6 to resolve the issue. As a temporary workaround, consider restricting the ability of clients to remove or modify X-Forwarded headers until the update is applied. Avoid using the X-Forwarded-Host and X-Forwarded-Port headers in sensitive operations until the issue is resolved.