Heimdall (<= 0.17.16) - CraftedSignal Threat Feed

Heimdall IP Spoofing via Unvalidated Forwarding Headers

hello@craftedsignal.io — Thu, 18 Jun 2026 15:12:55 +0000

A high-severity vulnerability has been identified in dadrus/heimdall versions up to and including 0.17.16. This flaw allows attackers to spoof client IP addresses when the trusted_proxies option is configured, due to insufficient validation of values extracted from Forwarded and X-Forwarded-For HTTP headers. Heimdall extracts these header values into Request.ClientIPAddresses without checking for syntactically valid IP addresses, accepting arbitrary strings, malformed literals, or RFC 7239 unknown values. Additionally, the Forwarded header parser fails to correctly handle quoted strings containing delimiters (, or ;), leading to misparsing and the creation of malformed entries. This vulnerability can be exploited by manipulating HTTP forwarding headers, allowing attackers to bypass access control rules that rely on Request.ClientIPAddresses for authorization, or to propagate attacker-controlled IP values to upstream services when Heimdall operates in proxy mode.

Attack Chain

An attacker crafts an HTTP request targeting a heimdall instance where the trusted_proxies configuration option is enabled.
The attacker includes a manipulated X-Forwarded-For header (e.g., X-Forwarded-For: 192.168.1.1, EVIL_IP) or Forwarded header (e.g., Forwarded: for="127.0.0.1;attacker_id", Forwarded: for="unknown") containing a syntactically invalid, spoofed, or otherwise malformed IP address value.
Heimdall, lacking proper validation, extracts this malicious value from the forwarding header and populates its internal Request.ClientIPAddresses property with the attacker-controlled string.
If the heimdall instance uses rules (e.g., a CEL authorizer) that reference Request.ClientIPAddresses to enforce access control (e.g., restricting access to specific IP ranges), these rules evaluate against the spoofed IP.
The attacker successfully bypasses the intended access control logic, gaining unauthorized access or circumventing restrictions based on the spoofed IP address.
(Alternative/Concurrent): If heimdall is operating in proxy mode, it uses the manipulated Request.ClientIPAddresses to reconstruct X-Forwarded-For and Forwarded headers before forwarding the request to upstream services.
Upstream services that trust these forwarded headers will receive and process the attacker-controlled IP value, potentially leading to incorrect logging, misattribution, or further exploitation within the internal network.

Impact

The primary impact of this vulnerability is the circumvention of application-level access controls and the potential for misattribution or further exploitation of upstream systems. Organizations utilizing dadrus/heimdall as an API gateway or proxy with the trusted_proxies option enabled are at risk. Attackers can bypass IP-based authorization checks, granting them unauthorized access to protected resources. Furthermore, in proxy mode, attacker-controlled IP values can be propagated to backend services, corrupting security logs, impacting forensic investigations, or enabling further attacks that rely on source IP validation. There is no information regarding specific victim counts or targeted sectors in the advisory, but any organization relying on Heimdall's IP-based security features could be affected.

Recommendation

Upgrade dadrus/heimdall to a version higher than 0.17.16 immediately to patch the vulnerability described in the GHSA advisory.
Ensure network-level controls are in place to only permit trusted proxies to communicate directly with your Heimdall instances.
Configure any proxies forwarding requests to Heimdall to sanitize or completely override, rather than append to, existing Forwarded or X-Forwarded-For headers.
Review and adjust any rules (e.g., CEL authorizer rules) that rely on Request.ClientIPAddresses for security-sensitive decisions, considering the potential for IP spoofing until patches are applied.
Deploy the Sigma rules provided in this brief to your SIEM to detect attempts at IP spoofing via manipulated X-Forwarded-For and Forwarded headers.

Heimdall Proxy Forwarded Header Injection via Unsanitized Host Header

hello@craftedsignal.io — Thu, 18 Jun 2026 15:11:26 +0000

A vulnerability (GHSA-4jgr-pg2m-m988) has been identified in Heimdall, an API gateway and access control solution, specifically affecting versions 0.17.16 and earlier when running in proxy mode. This flaw allows attackers to perform Forwarded header injection by sending a specially crafted HTTP request where the Host header contains unsanitized commas or semicolons followed by for= or proto=. Heimdall's proxy/request_context.go (line 201) directly concatenates the incoming Host header value into the Forwarded header without proper sanitization, enabling an attacker to inject arbitrary for= or proto= parameters. This misconfiguration can lead to IP address spoofing, tricking upstream services into believing requests originate from trusted or internal IP addresses (e.g., 127.0.0.1), thereby facilitating access control bypasses for applications configured behind the Heimdall proxy.

Attack Chain

An attacker crafts an HTTP GET or POST request targeting a resource behind the vulnerable Heimdall proxy.
The attacker includes a malicious Host header in the request, such as Host: evil.com,for=127.0.0.1 or Host: legit.com;for=10.0.0.1;proto=https.
The crafted request is sent to the internet-facing Heimdall proxy instance.
Heimdall receives the request and, operating in proxy mode, prepares to forward it to the configured upstream service.
During request forwarding, Heimdall's Go application code concatenates the raw value of the incoming Host header into the new Forwarded header without sanitizing commas or semicolons.
Heimdall sends the modified request, now containing an injected Forwarded header like Forwarded: for=1.2.3.4;host=evil.com, for=127.0.0.1;proto=http, to the upstream application.
The upstream application, configured to trust the Forwarded header (especially the last for= entry), parses the injected values.
The upstream service misinterprets the spoofed for= value as the legitimate client IP, potentially bypassing IP-based access controls (e.g., allowing access to an /admin-panel) or logging an incorrect source IP.

Impact

The primary impact of this vulnerability is the ability for attackers to spoof client IP addresses as seen by upstream services. This can directly lead to unauthorized access to sensitive resources, such as administrator panels or internal APIs, if these services rely on IP-based access controls and trust the Forwarded header provided by Heimdall. Organizations using Heimdall in proxy mode with upstream applications that parse and trust the Forwarded header, especially those that implement IP allowlisting, are at risk. The vulnerability affects all deployments of Heimdall where these conditions are met, potentially leading to data exfiltration, privilege escalation, or full system compromise of the backend services.

Recommendation

Immediately patch Heimdall installations to a version greater than 0.17.16 to address GHSA-4jgr-pg2m-m988.
Deploy the Sigma rules in this brief to your SIEM/detection platform to identify active exploitation attempts against your Heimdall proxy.
Review webserver logs for the cs-host field to detect patterns indicative of attempted exploitation, as identified in the "Detect Heimdall Host Header Injection Attempt" Sigma rule.