Back to Vulnerability List

Fabio: Fabio Reverse Proxy: Connection-Header Abuse Strips Trusted X-Forwarded Headers

CVE-2025-48865 Critical Published

CVSS

9.1 Critical · Network · No PR

EPSS

0.00166 0.2% chance of exploit in 30d

CWE

CWE-444 Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling)

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

Per GHSA-q7p4-7xjv-j3wf: “Fabio allows clients to remove X-Forwarded headers (except `X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port` when routing requests to backend applications. Since the receiving application should trust these headers, allowing HTTP clients to remove or modify them creates potential security vulnerabilities.”

Affected Packages / Versions

Package: fabio (Go)
Latest published version at triage time: 1.6.5
Affected range: Per GHSA-q7p4-7xjv-j3wf: fabio <= 1.6.5
Patched version: Fabio 1.6.6

Impact

Per GHSA: the bypass relies on “the behavior that headers can be defined as hop-by-hop” — clients mark X-Forwarded-* headers as hop-by-hop in a Connection: header, causing Fabio to strip them before the request reaches the backend. The backend then sees client-supplied X-Forwarded-* values it would normally trust as proxy-set.

Severity Rationale

GHSA severity: CRITICAL. NVD CVSS 9.1 (Critical): network AV, low complexity, no privileges or UI, with high confidentiality and integrity impact.

Fix

Per GHSA: upgrade Fabio to 1.6.6. Fix commit: fdaf1e966162e9dd3b347ffdd0647b39dc71a1a3.

Disclosure timeline

TBDReported to vendor
TBDPatch released (Fabio 1.6.6)
May 29, 2025GHSA-q7p4-7xjv-j3wf published

Fix Commit(s)

fdaf1e966162

References

Discovered by Siddhant Kalgutkar · Published April 29, 2026

Praetorian Guard Platform

Penetration Testing Services

Advanced Offensive Security

Continuous Offensive Security

Customer Case Studies

Resources

Use Cases

About Praetorian

Join Praetorian