{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/heimdall--0.17.16/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["heimdall (\u003c= 0.17.16)"],"_cs_severities":["high"],"_cs_tags":["ip-spoofing","access-bypass","web-application","github-advisory"],"_cs_type":"advisory","_cs_vendors":["dadrus"],"content_html":"\u003cp\u003eA high-severity vulnerability has been identified in \u003ccode\u003edadrus/heimdall\u003c/code\u003e versions up to and including 0.17.16. This flaw allows attackers to spoof client IP addresses when the \u003ccode\u003etrusted_proxies\u003c/code\u003e option is configured, due to insufficient validation of values extracted from \u003ccode\u003eForwarded\u003c/code\u003e and \u003ccode\u003eX-Forwarded-For\u003c/code\u003e HTTP headers. Heimdall extracts these header values into \u003ccode\u003eRequest.ClientIPAddresses\u003c/code\u003e without checking for syntactically valid IP addresses, accepting arbitrary strings, malformed literals, or RFC 7239 \u003ccode\u003eunknown\u003c/code\u003e values. Additionally, the \u003ccode\u003eForwarded\u003c/code\u003e header parser fails to correctly handle quoted strings containing delimiters (\u003ccode\u003e,\u003c/code\u003e or \u003ccode\u003e;\u003c/code\u003e), leading to misparsing and the creation of malformed entries. This vulnerability can be exploited by manipulating HTTP forwarding headers, allowing attackers to bypass access control rules that rely on \u003ccode\u003eRequest.ClientIPAddresses\u003c/code\u003e for authorization, or to propagate attacker-controlled IP values to upstream services when Heimdall operates in proxy mode.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts an HTTP request targeting a heimdall instance where the \u003ccode\u003etrusted_proxies\u003c/code\u003e configuration option is enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a manipulated \u003ccode\u003eX-Forwarded-For\u003c/code\u003e header (e.g., \u003ccode\u003eX-Forwarded-For: 192.168.1.1, EVIL_IP\u003c/code\u003e) or \u003ccode\u003eForwarded\u003c/code\u003e header (e.g., \u003ccode\u003eForwarded: for=\u0026quot;127.0.0.1;attacker_id\u0026quot;\u003c/code\u003e, \u003ccode\u003eForwarded: for=\u0026quot;unknown\u0026quot;\u003c/code\u003e) containing a syntactically invalid, spoofed, or otherwise malformed IP address value.\u003c/li\u003e\n\u003cli\u003eHeimdall, lacking proper validation, extracts this malicious value from the forwarding header and populates its internal \u003ccode\u003eRequest.ClientIPAddresses\u003c/code\u003e property with the attacker-controlled string.\u003c/li\u003e\n\u003cli\u003eIf the heimdall instance uses rules (e.g., a CEL authorizer) that reference \u003ccode\u003eRequest.ClientIPAddresses\u003c/code\u003e to enforce access control (e.g., restricting access to specific IP ranges), these rules evaluate against the spoofed IP.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully bypasses the intended access control logic, gaining unauthorized access or circumventing restrictions based on the spoofed IP address.\u003c/li\u003e\n\u003cli\u003e(Alternative/Concurrent): If heimdall is operating in proxy mode, it uses the manipulated \u003ccode\u003eRequest.ClientIPAddresses\u003c/code\u003e to reconstruct \u003ccode\u003eX-Forwarded-For\u003c/code\u003e and \u003ccode\u003eForwarded\u003c/code\u003e headers before forwarding the request to upstream services.\u003c/li\u003e\n\u003cli\u003eUpstream services that trust these forwarded headers will receive and process the attacker-controlled IP value, potentially leading to incorrect logging, misattribution, or further exploitation within the internal network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of this vulnerability is the circumvention of application-level access controls and the potential for misattribution or further exploitation of upstream systems. Organizations utilizing \u003ccode\u003edadrus/heimdall\u003c/code\u003e as an API gateway or proxy with the \u003ccode\u003etrusted_proxies\u003c/code\u003e option enabled are at risk. Attackers can bypass IP-based authorization checks, granting them unauthorized access to protected resources. Furthermore, in proxy mode, attacker-controlled IP values can be propagated to backend services, corrupting security logs, impacting forensic investigations, or enabling further attacks that rely on source IP validation. There is no information regarding specific victim counts or targeted sectors in the advisory, but any organization relying on Heimdall's IP-based security features could be affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003edadrus/heimdall\u003c/code\u003e to a version higher than 0.17.16 immediately to patch the vulnerability described in the GHSA advisory.\u003c/li\u003e\n\u003cli\u003eEnsure network-level controls are in place to only permit trusted proxies to communicate directly with your Heimdall instances.\u003c/li\u003e\n\u003cli\u003eConfigure any proxies forwarding requests to Heimdall to sanitize or completely override, rather than append to, existing \u003ccode\u003eForwarded\u003c/code\u003e or \u003ccode\u003eX-Forwarded-For\u003c/code\u003e headers.\u003c/li\u003e\n\u003cli\u003eReview and adjust any rules (e.g., CEL authorizer rules) that rely on \u003ccode\u003eRequest.ClientIPAddresses\u003c/code\u003e for security-sensitive decisions, considering the potential for IP spoofing until patches are applied.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect attempts at IP spoofing via manipulated \u003ccode\u003eX-Forwarded-For\u003c/code\u003e and \u003ccode\u003eForwarded\u003c/code\u003e headers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:12:55Z","date_published":"2026-06-18T15:12:55Z","id":"https://feed.craftedsignal.io/briefs/2026-06-heimdall-ip-spoofing/","summary":"A high-severity vulnerability in dadrus/heimdall (versions \u003c= 0.17.16) enables attackers to spoof client IP addresses by injecting unvalidated or malformed values into `Forwarded` or `X-Forwarded-For` HTTP headers, potentially bypassing access controls or propagating malicious IP data to upstream services when `trusted_proxies` is configured.","title":"Heimdall IP Spoofing via Unvalidated Forwarding Headers","url":"https://feed.craftedsignal.io/briefs/2026-06-heimdall-ip-spoofing/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Heimdall (\u003c= 0.17.16)"],"_cs_severities":["high"],"_cs_tags":["header-injection","proxy","access-control-bypass","ip-spoofing","vulnerability","web"],"_cs_type":"threat","_cs_vendors":["dadrus"],"content_html":"\u003cp\u003eA vulnerability (GHSA-4jgr-pg2m-m988) has been identified in Heimdall, an API gateway and access control solution, specifically affecting versions 0.17.16 and earlier when running in proxy mode. This flaw allows attackers to perform \u003ccode\u003eForwarded\u003c/code\u003e header injection by sending a specially crafted HTTP request where the \u003ccode\u003eHost\u003c/code\u003e header contains unsanitized commas or semicolons followed by \u003ccode\u003efor=\u003c/code\u003e or \u003ccode\u003eproto=\u003c/code\u003e. Heimdall's \u003ccode\u003eproxy/request_context.go\u003c/code\u003e (line 201) directly concatenates the incoming \u003ccode\u003eHost\u003c/code\u003e header value into the \u003ccode\u003eForwarded\u003c/code\u003e header without proper sanitization, enabling an attacker to inject arbitrary \u003ccode\u003efor=\u003c/code\u003e or \u003ccode\u003eproto=\u003c/code\u003e parameters. This misconfiguration can lead to IP address spoofing, tricking upstream services into believing requests originate from trusted or internal IP addresses (e.g., \u003ccode\u003e127.0.0.1\u003c/code\u003e), thereby facilitating access control bypasses for applications configured behind the Heimdall proxy.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts an HTTP GET or POST request targeting a resource behind the vulnerable Heimdall proxy.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a malicious \u003ccode\u003eHost\u003c/code\u003e header in the request, such as \u003ccode\u003eHost: evil.com,for=127.0.0.1\u003c/code\u003e or \u003ccode\u003eHost: legit.com;for=10.0.0.1;proto=https\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request is sent to the internet-facing Heimdall proxy instance.\u003c/li\u003e\n\u003cli\u003eHeimdall receives the request and, operating in proxy mode, prepares to forward it to the configured upstream service.\u003c/li\u003e\n\u003cli\u003eDuring request forwarding, Heimdall's Go application code concatenates the raw value of the incoming \u003ccode\u003eHost\u003c/code\u003e header into the new \u003ccode\u003eForwarded\u003c/code\u003e header without sanitizing commas or semicolons.\u003c/li\u003e\n\u003cli\u003eHeimdall sends the modified request, now containing an injected \u003ccode\u003eForwarded\u003c/code\u003e header like \u003ccode\u003eForwarded: for=1.2.3.4;host=evil.com, for=127.0.0.1;proto=http\u003c/code\u003e, to the upstream application.\u003c/li\u003e\n\u003cli\u003eThe upstream application, configured to trust the \u003ccode\u003eForwarded\u003c/code\u003e header (especially the last \u003ccode\u003efor=\u003c/code\u003e entry), parses the injected values.\u003c/li\u003e\n\u003cli\u003eThe upstream service misinterprets the spoofed \u003ccode\u003efor=\u003c/code\u003e value as the legitimate client IP, potentially bypassing IP-based access controls (e.g., allowing access to an \u003ccode\u003e/admin-panel\u003c/code\u003e) or logging an incorrect source IP.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of this vulnerability is the ability for attackers to spoof client IP addresses as seen by upstream services. This can directly lead to unauthorized access to sensitive resources, such as administrator panels or internal APIs, if these services rely on IP-based access controls and trust the \u003ccode\u003eForwarded\u003c/code\u003e header provided by Heimdall. Organizations using Heimdall in proxy mode with upstream applications that parse and trust the \u003ccode\u003eForwarded\u003c/code\u003e header, especially those that implement IP allowlisting, are at risk. The vulnerability affects all deployments of Heimdall where these conditions are met, potentially leading to data exfiltration, privilege escalation, or full system compromise of the backend services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch Heimdall installations to a version greater than 0.17.16 to address GHSA-4jgr-pg2m-m988.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM/detection platform to identify active exploitation attempts against your Heimdall proxy.\u003c/li\u003e\n\u003cli\u003eReview webserver logs for the \u003ccode\u003ecs-host\u003c/code\u003e field to detect patterns indicative of attempted exploitation, as identified in the \u0026quot;Detect Heimdall Host Header Injection Attempt\u0026quot; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:11:26Z","date_published":"2026-06-18T15:11:26Z","id":"https://feed.craftedsignal.io/briefs/2026-06-heimdall-forwarded-header-injection/","summary":"Attackers can exploit Heimdall proxy versions \u003c= 0.17.16 operating in proxy mode by injecting malicious values into the `Host` HTTP header, leading to the construction of a manipulated `Forwarded` header that can spoof client IP addresses for upstream services, potentially bypassing IP-based access controls.","title":"Heimdall Proxy Forwarded Header Injection via Unsanitized Host Header","url":"https://feed.craftedsignal.io/briefs/2026-06-heimdall-forwarded-header-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Heimdall (\u003c= 0.17.16)","version":"https://jsonfeed.org/version/1.1"}