{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/tailscale/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["tsdproxy (\u003c 3.0.0-alpha.3)"],"_cs_severities":["high"],"_cs_tags":["ip-spoofing","header-injection","reverse-proxy","access-control-bypass","tailscale","network"],"_cs_type":"advisory","_cs_vendors":["almeidapaulopt"],"content_html":"\u003cp\u003eA critical vulnerability (CVE-NONE) has been identified in \u003ccode\u003etsdproxy\u003c/code\u003e versions prior to \u003ccode\u003e3.0.0-alpha.3\u003c/code\u003e, allowing authenticated Tailscale users to inject arbitrary \u003ccode\u003eX-Forwarded-For\u003c/code\u003e or \u003ccode\u003eX-Real-IP\u003c/code\u003e headers into proxied requests. The \u003ccode\u003etsdproxy\u003c/code\u003e HTTP reverse proxy handler fails to strip these headers from incoming requests before forwarding them to backend services. This omission means that if an attacker provides a spoofed IP address in these headers, \u003ccode\u003etsdproxy\u003c/code\u003e will append the legitimate client IP to \u003ccode\u003eX-Forwarded-For\u003c/code\u003e but will not remove the attacker-supplied value, or in the case of \u003ccode\u003eX-Real-IP\u003c/code\u003e, forward it verbatim. This enables attackers to bypass IP-based access controls, rate limiting, and manipulate audit logs on downstream applications, posing a significant risk, especially where \u003ccode\u003etsdproxy\u003c/code\u003e is the sole access control enforcement point for isolated backend services. The vulnerability was reported by Vishal Shukla.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated Tailscale user identifies a \u003ccode\u003etsdproxy\u003c/code\u003e instance fronting a sensitive backend service.\u003c/li\u003e\n\u003cli\u003eThe attacker determines the backend service enforces IP-based restrictions, such as limiting access to \u003ccode\u003e/admin\u003c/code\u003e paths to \u003ccode\u003e127.0.0.1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request, including a spoofed \u003ccode\u003eX-Forwarded-For: 127.0.0.1\u003c/code\u003e or \u003ccode\u003eX-Real-IP: 127.0.0.1\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe request is sent through \u003ccode\u003etsdproxy\u003c/code\u003e, targeting the sensitive \u003ccode\u003e/admin\u003c/code\u003e endpoint of the backend service.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, \u003ccode\u003etsdproxy\u003c/code\u003e forwards the request without stripping the attacker's spoofed \u003ccode\u003eX-Forwarded-For\u003c/code\u003e or \u003ccode\u003eX-Real-IP\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehttputil.ProxyRequest.SetXForwarded()\u003c/code\u003e function appends the real Tailscale client IP to \u003ccode\u003eX-Forwarded-For\u003c/code\u003e, resulting in \u003ccode\u003eX-Forwarded-For: 127.0.0.1, \u0026lt;real-tailscale-client-ip\u0026gt;\u003c/code\u003e. For \u003ccode\u003eX-Real-IP\u003c/code\u003e, the attacker's \u003ccode\u003e127.0.0.1\u003c/code\u003e is passed directly.\u003c/li\u003e\n\u003cli\u003eThe backend service, configured to trust the first IP in \u003ccode\u003eX-Forwarded-For\u003c/code\u003e (or \u003ccode\u003eX-Real-IP\u003c/code\u003e), interprets the request as originating from \u003ccode\u003e127.0.0.1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully bypasses the IP-based access control, gaining unauthorized access to the \u003ccode\u003e/admin\u003c/code\u003e functionality.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows an authenticated Tailscale user to significantly escalate their privileges and evade security controls on backend applications protected by \u003ccode\u003etsdproxy\u003c/code\u003e. Successful exploitation can lead to unauthorized access to sensitive administrative interfaces, bypassing of critical security mechanisms like rate limiting and geo-blocking, and the ability to manipulate audit logs by falsifying source IP addresses. The impact is particularly severe because \u003ccode\u003etsdproxy\u003c/code\u003e is often deployed as the single entry point for otherwise network-isolated backend services, making its header handling crucial for security. Attackers can leverage this to gain full control over backend systems that rely on IP-based authentication or authorization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003etsdproxy\u003c/code\u003e to version \u003ccode\u003e3.0.0-alpha.3\u003c/code\u003e or higher immediately to apply the fix that correctly strips \u003ccode\u003eX-Forwarded-For\u003c/code\u003e and \u003ccode\u003eX-Real-IP\u003c/code\u003e headers.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect X-Forwarded-For/X-Real-IP Spoofing via tsdproxy\u0026quot; to your SIEM and monitor \u003ccode\u003ewebserver\u003c/code\u003e logs for suspicious header injection attempts targeting sensitive paths.\u003c/li\u003e\n\u003cli\u003eReview and audit backend application configurations to ensure they correctly interpret \u003ccode\u003eX-Forwarded-For\u003c/code\u003e headers, ideally by configuring trusted proxies (e.g., \u003ccode\u003ereal_ip_recursive\u003c/code\u003e in Nginx) to prevent spoofing from internal network segments.\u003c/li\u003e\n\u003cli\u003eImplement additional application-level authentication and authorization beyond IP-based controls for sensitive endpoints to mitigate the risk of header spoofing.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T20:27:11Z","date_published":"2026-07-14T20:27:11Z","id":"https://feed.craftedsignal.io/briefs/2026-07-tsdproxy-ip-spoofing/","summary":"An authenticated Tailscale user can bypass IP-based access controls, rate limiting, and manipulate audit logs by injecting arbitrary X-Forwarded-For or X-Real-IP headers into proxied requests via `tsdproxy`. This vulnerability stems from `tsdproxy`'s failure to strip these headers before forwarding them, allowing an attacker to spoof their source IP address. This is particularly impactful when `tsdproxy` is the sole enforcement point for backend services, enabling actions such as gaining unauthorized admin access to backend applications.","title":"X-Forwarded-For Header Injection Vulnerability in tsdproxy","url":"https://feed.craftedsignal.io/briefs/2026-07-tsdproxy-ip-spoofing/"}],"language":"en","title":"CraftedSignal Threat Feed - Tailscale","version":"https://jsonfeed.org/version/1.1"}