{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/access-bypass/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["heimdall (\u003c= 0.17.16)"],"_cs_severities":["high"],"_cs_tags":["ip-spoofing","access-bypass","web-application","github-advisory"],"_cs_type":"advisory","_cs_vendors":["dadrus"],"content_html":"\u003cp\u003eA high-severity vulnerability has been identified in \u003ccode\u003edadrus/heimdall\u003c/code\u003e versions up to and including 0.17.16. This flaw allows attackers to spoof client IP addresses when the \u003ccode\u003etrusted_proxies\u003c/code\u003e option is configured, due to insufficient validation of values extracted from \u003ccode\u003eForwarded\u003c/code\u003e and \u003ccode\u003eX-Forwarded-For\u003c/code\u003e HTTP headers. Heimdall extracts these header values into \u003ccode\u003eRequest.ClientIPAddresses\u003c/code\u003e without checking for syntactically valid IP addresses, accepting arbitrary strings, malformed literals, or RFC 7239 \u003ccode\u003eunknown\u003c/code\u003e values. Additionally, the \u003ccode\u003eForwarded\u003c/code\u003e header parser fails to correctly handle quoted strings containing delimiters (\u003ccode\u003e,\u003c/code\u003e or \u003ccode\u003e;\u003c/code\u003e), leading to misparsing and the creation of malformed entries. This vulnerability can be exploited by manipulating HTTP forwarding headers, allowing attackers to bypass access control rules that rely on \u003ccode\u003eRequest.ClientIPAddresses\u003c/code\u003e for authorization, or to propagate attacker-controlled IP values to upstream services when Heimdall operates in proxy mode.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts an HTTP request targeting a heimdall instance where the \u003ccode\u003etrusted_proxies\u003c/code\u003e configuration option is enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a manipulated \u003ccode\u003eX-Forwarded-For\u003c/code\u003e header (e.g., \u003ccode\u003eX-Forwarded-For: 192.168.1.1, EVIL_IP\u003c/code\u003e) or \u003ccode\u003eForwarded\u003c/code\u003e header (e.g., \u003ccode\u003eForwarded: for=\u0026quot;127.0.0.1;attacker_id\u0026quot;\u003c/code\u003e, \u003ccode\u003eForwarded: for=\u0026quot;unknown\u0026quot;\u003c/code\u003e) containing a syntactically invalid, spoofed, or otherwise malformed IP address value.\u003c/li\u003e\n\u003cli\u003eHeimdall, lacking proper validation, extracts this malicious value from the forwarding header and populates its internal \u003ccode\u003eRequest.ClientIPAddresses\u003c/code\u003e property with the attacker-controlled string.\u003c/li\u003e\n\u003cli\u003eIf the heimdall instance uses rules (e.g., a CEL authorizer) that reference \u003ccode\u003eRequest.ClientIPAddresses\u003c/code\u003e to enforce access control (e.g., restricting access to specific IP ranges), these rules evaluate against the spoofed IP.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully bypasses the intended access control logic, gaining unauthorized access or circumventing restrictions based on the spoofed IP address.\u003c/li\u003e\n\u003cli\u003e(Alternative/Concurrent): If heimdall is operating in proxy mode, it uses the manipulated \u003ccode\u003eRequest.ClientIPAddresses\u003c/code\u003e to reconstruct \u003ccode\u003eX-Forwarded-For\u003c/code\u003e and \u003ccode\u003eForwarded\u003c/code\u003e headers before forwarding the request to upstream services.\u003c/li\u003e\n\u003cli\u003eUpstream services that trust these forwarded headers will receive and process the attacker-controlled IP value, potentially leading to incorrect logging, misattribution, or further exploitation within the internal network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of this vulnerability is the circumvention of application-level access controls and the potential for misattribution or further exploitation of upstream systems. Organizations utilizing \u003ccode\u003edadrus/heimdall\u003c/code\u003e as an API gateway or proxy with the \u003ccode\u003etrusted_proxies\u003c/code\u003e option enabled are at risk. Attackers can bypass IP-based authorization checks, granting them unauthorized access to protected resources. Furthermore, in proxy mode, attacker-controlled IP values can be propagated to backend services, corrupting security logs, impacting forensic investigations, or enabling further attacks that rely on source IP validation. There is no information regarding specific victim counts or targeted sectors in the advisory, but any organization relying on Heimdall's IP-based security features could be affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003edadrus/heimdall\u003c/code\u003e to a version higher than 0.17.16 immediately to patch the vulnerability described in the GHSA advisory.\u003c/li\u003e\n\u003cli\u003eEnsure network-level controls are in place to only permit trusted proxies to communicate directly with your Heimdall instances.\u003c/li\u003e\n\u003cli\u003eConfigure any proxies forwarding requests to Heimdall to sanitize or completely override, rather than append to, existing \u003ccode\u003eForwarded\u003c/code\u003e or \u003ccode\u003eX-Forwarded-For\u003c/code\u003e headers.\u003c/li\u003e\n\u003cli\u003eReview and adjust any rules (e.g., CEL authorizer rules) that rely on \u003ccode\u003eRequest.ClientIPAddresses\u003c/code\u003e for security-sensitive decisions, considering the potential for IP spoofing until patches are applied.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect attempts at IP spoofing via manipulated \u003ccode\u003eX-Forwarded-For\u003c/code\u003e and \u003ccode\u003eForwarded\u003c/code\u003e headers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:12:55Z","date_published":"2026-06-18T15:12:55Z","id":"https://feed.craftedsignal.io/briefs/2026-06-heimdall-ip-spoofing/","summary":"A high-severity vulnerability in dadrus/heimdall (versions \u003c= 0.17.16) enables attackers to spoof client IP addresses by injecting unvalidated or malformed values into `Forwarded` or `X-Forwarded-For` HTTP headers, potentially bypassing access controls or propagating malicious IP data to upstream services when `trusted_proxies` is configured.","title":"Heimdall IP Spoofing via Unvalidated Forwarding Headers","url":"https://feed.craftedsignal.io/briefs/2026-06-heimdall-ip-spoofing/"}],"language":"en","title":"CraftedSignal Threat Feed - Access-Bypass","version":"https://jsonfeed.org/version/1.1"}