Heimdall IP Spoofing via Unvalidated Forwarding Headers

A high-severity vulnerability has been identified in dadrus/heimdall versions up to and including 0.17.16. This flaw allows attackers to spoof client IP addresses when the trusted_proxies option is configured, due to insufficient validation of values extracted from Forwarded and X-Forwarded-For HTTP headers. Heimdall extracts these header values into Request.ClientIPAddresses without checking for syntactically valid IP addresses, accepting arbitrary strings, malformed literals, or RFC 7239 unknown values. Additionally, the Forwarded header parser fails to correctly handle quoted strings containing delimiters (, or ;), leading to misparsing and the creation of malformed entries. This vulnerability can be exploited by manipulating HTTP forwarding headers, allowing attackers to bypass access control rules that rely on Request.ClientIPAddresses for authorization, or to propagate attacker-controlled IP values to upstream services when Heimdall operates in proxy mode.

Attack Chain

1. An attacker crafts an HTTP request targeting a heimdall instance where the trusted_proxies configuration option is enabled.
2. The attacker includes a manipulated X-Forwarded-For header (e.g., X-Forwarded-For: 192.168.1.1, EVIL_IP) or Forwarded header (e.g., Forwarded: for="127.0.0.1;attacker_id", Forwarded: for="unknown") containing a syntactically invalid, spoofed, or otherwise malformed IP address value.
3. Heimdall, lacking proper validation, extracts this malicious value from the forwarding header and populates its internal Request.ClientIPAddresses property with the attacker-controlled string.
4. If the heimdall instance uses rules (e.g., a CEL authorizer) that reference Request.ClientIPAddresses to enforce access control (e.g., restricting access to specific IP ranges), these rules evaluate against the spoofed IP.
5. The attacker successfully bypasses the intended access control logic, gaining unauthorized access or circumventing restrictions based on the spoofed IP address.
6. (Alternative/Concurrent): If heimdall is operating in proxy mode, it uses the manipulated Request.ClientIPAddresses to reconstruct X-Forwarded-For and Forwarded headers before forwarding the request to upstream services.
7. Upstream services that trust these forwarded headers will receive and process the attacker-controlled IP value, potentially leading to incorrect logging, misattribution, or further exploitation within the internal network.

Impact

The primary impact of this vulnerability is the circumvention of application-level access controls and the potential for misattribution or further exploitation of upstream systems. Organizations utilizing dadrus/heimdall as an API gateway or proxy with the trusted_proxies option enabled are at risk. Attackers can bypass IP-based authorization checks, granting them unauthorized access to protected resources. Furthermore, in proxy mode, attacker-controlled IP values can be propagated to backend services, corrupting security logs, impacting forensic investigations, or enabling further attacks that rely on source IP validation. There is no information regarding specific victim counts or targeted sectors in the advisory, but any organization relying on Heimdall's IP-based security features could be affected.

Recommendation

• Upgrade dadrus/heimdall to a version higher than 0.17.16 immediately to patch the vulnerability described in the GHSA advisory.
• Ensure network-level controls are in place to only permit trusted proxies to communicate directly with your Heimdall instances.
• Configure any proxies forwarding requests to Heimdall to sanitize or completely override, rather than append to, existing Forwarded or X-Forwarded-For headers.
• Review and adjust any rules (e.g., CEL authorizer rules) that rely on Request.ClientIPAddresses for security-sensitive decisions, considering the potential for IP spoofing until patches are applied.
• Deploy the Sigma rules provided in this brief to your SIEM to detect attempts at IP spoofing via manipulated X-Forwarded-For and Forwarded headers.