<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Tsdproxy (&lt; 3.0.0-Alpha.3) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/tsdproxy--3.0.0-alpha.3/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 20:27:11 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/tsdproxy--3.0.0-alpha.3/feed.xml" rel="self" type="application/rss+xml"/><item><title>X-Forwarded-For Header Injection Vulnerability in tsdproxy</title><link>https://feed.craftedsignal.io/briefs/2026-07-tsdproxy-ip-spoofing/</link><pubDate>Tue, 14 Jul 2026 20:27:11 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-tsdproxy-ip-spoofing/</guid><description>An authenticated Tailscale user can bypass IP-based access controls, rate limiting, and manipulate audit logs by injecting arbitrary X-Forwarded-For or X-Real-IP headers into proxied requests via `tsdproxy`. This vulnerability stems from `tsdproxy`'s failure to strip these headers before forwarding them, allowing an attacker to spoof their source IP address. This is particularly impactful when `tsdproxy` is the sole enforcement point for backend services, enabling actions such as gaining unauthorized admin access to backend applications.</description><content:encoded><![CDATA[<p>A critical vulnerability (CVE-NONE) has been identified in <code>tsdproxy</code> versions prior to <code>3.0.0-alpha.3</code>, allowing authenticated Tailscale users to inject arbitrary <code>X-Forwarded-For</code> or <code>X-Real-IP</code> headers into proxied requests. The <code>tsdproxy</code> HTTP reverse proxy handler fails to strip these headers from incoming requests before forwarding them to backend services. This omission means that if an attacker provides a spoofed IP address in these headers, <code>tsdproxy</code> will append the legitimate client IP to <code>X-Forwarded-For</code> but will not remove the attacker-supplied value, or in the case of <code>X-Real-IP</code>, forward it verbatim. This enables attackers to bypass IP-based access controls, rate limiting, and manipulate audit logs on downstream applications, posing a significant risk, especially where <code>tsdproxy</code> is the sole access control enforcement point for isolated backend services. The vulnerability was reported by Vishal Shukla.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated Tailscale user identifies a <code>tsdproxy</code> instance fronting a sensitive backend service.</li>
<li>The attacker determines the backend service enforces IP-based restrictions, such as limiting access to <code>/admin</code> paths to <code>127.0.0.1</code>.</li>
<li>The attacker crafts an HTTP request, including a spoofed <code>X-Forwarded-For: 127.0.0.1</code> or <code>X-Real-IP: 127.0.0.1</code> header.</li>
<li>The request is sent through <code>tsdproxy</code>, targeting the sensitive <code>/admin</code> endpoint of the backend service.</li>
<li>Due to the vulnerability, <code>tsdproxy</code> forwards the request without stripping the attacker's spoofed <code>X-Forwarded-For</code> or <code>X-Real-IP</code> header.</li>
<li>The <code>httputil.ProxyRequest.SetXForwarded()</code> function appends the real Tailscale client IP to <code>X-Forwarded-For</code>, resulting in <code>X-Forwarded-For: 127.0.0.1, &lt;real-tailscale-client-ip&gt;</code>. For <code>X-Real-IP</code>, the attacker's <code>127.0.0.1</code> is passed directly.</li>
<li>The backend service, configured to trust the first IP in <code>X-Forwarded-For</code> (or <code>X-Real-IP</code>), interprets the request as originating from <code>127.0.0.1</code>.</li>
<li>The attacker successfully bypasses the IP-based access control, gaining unauthorized access to the <code>/admin</code> functionality.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability allows an authenticated Tailscale user to significantly escalate their privileges and evade security controls on backend applications protected by <code>tsdproxy</code>. Successful exploitation can lead to unauthorized access to sensitive administrative interfaces, bypassing of critical security mechanisms like rate limiting and geo-blocking, and the ability to manipulate audit logs by falsifying source IP addresses. The impact is particularly severe because <code>tsdproxy</code> is often deployed as the single entry point for otherwise network-isolated backend services, making its header handling crucial for security. Attackers can leverage this to gain full control over backend systems that rely on IP-based authentication or authorization.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade <code>tsdproxy</code> to version <code>3.0.0-alpha.3</code> or higher immediately to apply the fix that correctly strips <code>X-Forwarded-For</code> and <code>X-Real-IP</code> headers.</li>
<li>Deploy the Sigma rule &quot;Detect X-Forwarded-For/X-Real-IP Spoofing via tsdproxy&quot; to your SIEM and monitor <code>webserver</code> logs for suspicious header injection attempts targeting sensitive paths.</li>
<li>Review and audit backend application configurations to ensure they correctly interpret <code>X-Forwarded-For</code> headers, ideally by configuring trusted proxies (e.g., <code>real_ip_recursive</code> in Nginx) to prevent spoofing from internal network segments.</li>
<li>Implement additional application-level authentication and authorization beyond IP-based controls for sensitive endpoints to mitigate the risk of header spoofing.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ip-spoofing</category><category>header-injection</category><category>reverse-proxy</category><category>access-control-bypass</category><category>tailscale</category><category>network</category></item></channel></rss>