PT-2026-55842 · Go · Github.Com/Go-Chi/Chi/Middleware+4

Published

2026-06-25

·

Updated

2026-06-25

CVSS v4.0

7.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Summary

The vulnerability allows the Request.RemoteAddr to be spoofed when determining the request source IP via the X-Forwarded-For header. This could result in misidentification of the request source and potentially compromise access control and logging integrity.

Details

Currently, the RealIP() implementation splits the X-Forwarded-For header by , and uses the first IP. https://github.com/go-chi/chi/blob/v5.1.0/middleware/realip.go#L50-L54
However, relying on the first IP in the X-Forwarded-For header is insecure because it can be manipulated by attackers to falsify the source IP.
Malicious Case:
  1. A malicious client sends a request with a forged IP in the X-Forwarded-For header: X-Forwarded-For: <forged-ip>
  2. The proxy appends the actual client’s IP and forwards the request: X-Forwarded-For: <forged-ip>,<client-ip>
  3. If the server always uses the first IP, it becomes vulnerable to IP spoofing.
Ideally, the implementation should verify IPs starting from the end of the X-Forwarded-For header value, skipping trusted IPs within the system, and using the first untrusted IP as the actual client IP.
For example, the labstack/echo web framework processes the X-Forwarded-For header by checking IPs from the end, skipping trusted IPs, and using the first untrusted IP as the client's ip. https://github.com/labstack/echo/blob/v4.13.2/ip.go#L261-L273

PoC

1. Run the Go application with the following code:

go
package main

import (
  "fmt"
  "log"
  "net/http"

  "github.com/go-chi/chi/v5/middleware"
)

func main() {
  // Set handler to print the remote address
  handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    fmt.Fprintln(
      w,
      fmt.Sprintf("remote addr: %s (want 192.0.2.1)", r.RemoteAddr),
    )
  })
  // Use RealIP middleware
  log.Fatal(http.ListenAndServe(":8080", middleware.RealIP(handler)))
}

2. Send a request to the server using curl with a manipulated X-Forwarded-For header:

$ curl localhost:8080 -H 'X-Forwarded-For: 192.0.2.2, 192.0.2.1'
remote addr: 192.0.2.2 (want 192.0.2.1)

Impact

This vulnerability can lead to a request source IP spoofing issue, which may allow attackers to bypass access controls or falsify request logs. It primarily affects systems that rely on X-Forwarded-For to determine the actual client IP, particularly in scenarios where intermediary proxies or load balancers are involved.

Fix

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

GHSA-9G5Q-2W5X-HMXF

Affected Products

Github.Com/Go-Chi/Chi/Middleware
Github.Com/Go-Chi/Chi/V2/Middleware
Github.Com/Go-Chi/Chi/V3/Middleware
Github.Com/Go-Chi/Chi/V4/Middleware
Github.Com/Go-Chi/Chi/V5/Middleware