CVE-2025-65328

Name of the Vulnerable Software and Affected Versions Mega-Fence versions 25.1.914 and prior

Description The software does not validate a trusted proxy chain when using the X-Forwarded-For (XFF) header to determine the client IP address. An attacker can manipulate the XFF header to spoof the client IP address, which is then used in security-relevant operations, such as setting the WG CLIENT IP cookie. This could allow bypassing of IP allowlists. The X-Forwarded-For (XFF) header is a de facto standard HTTP header field used to identify the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.

Recommendations Versions prior to 25.1.914 should be updated.