DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-84G5-X8J3-7235: GHSA-84G5-X8J3-7235: DNS Filter Bypass via Off-by-one Error in Netfoil Suffix Trie

#security #cve #cybersecurity #ghsa

GHSA-84G5-X8J3-7235: DNS Filter Bypass via Off-by-one Error in Netfoil Suffix Trie

Vulnerability ID: GHSA-84G5-X8J3-7235
CVSS Score: 7.5
Published: 2026-04-29

Netfoil versions prior to v0.2.1 contain an off-by-one logic error within the custom suffix trie implementation used for domain matching. This flaw allows an attacker to bypass DNS allowlist configurations by prepending arbitrary characters to approved domain names.

TL;DR

An off-by-one error in Netfoil's domain matching logic ignores the first character of incoming domains, allowing attackers to bypass DNS filters by adding a prefix to allowed domains.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Incorrect allowlist enforcement
  • CWE ID: CWE-193, CWE-285
  • Attack Vector: Network
  • Impact: Security feature bypass (DNS filtering)
  • Exploit Status: Unauthenticated Bypass
  • Patch Status: Fixed in v0.2.1

Affected Systems

  • Netfoil DNS Proxy (< v0.2.1)
  • Netfoil: < 0.2.1 (Fixed in: v0.2.1)

Code Analysis

Commit: 0ca054a

Fix off-by-one error in suffixtrie matching logic

@@ -15,7 +15,7 @@ func (t *Trie) Insert(word []byte) {
-    for i := len(word) - 1; i > 0; i-- {
+    for i := len(word) - 1; i >= 0; i-- {
@@ -32,7 +32,7 @@ func (t *Trie) MatchExact(word []byte) bool {
-    for i := len(word) - 1; i > 0; i-- {
+    for i := len(word) - 1; i >= 0; i-- {
@@ -50,6 +50,9 @@ func (t *Trie) MatchSuffix(word []byte) bool {
+    if len(word) == 0 {
+        return false
+    }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Netfoil to version v0.2.1 or later.
  • Audit DNS request logs for anomalous queries resembling allowed domains with single-character prefixes.
  • Implement independent Layer 3/4 egress filtering to restrict outbound network connections.

Remediation Steps:

  1. Stop the vulnerable Netfoil proxy service.
  2. Download the Netfoil v0.2.1 release binary from the official repository.
  3. Replace the existing binary with the v0.2.1 release.
  4. Restart the Netfoil proxy service.
  5. Verify the update by querying an invalid prefixed domain (e.g., 'x[allowed-domain].com') and ensuring it is correctly blocked.

References

Read the full report for GHSA-84G5-X8J3-7235 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)