DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-PQG7-V6WH-3PFP: GHSA-pqg7-v6wh-3pfp: IP Spoofing and Access Control Bypass via HTTP Header Injection in TsDProxy

GHSA-pqg7-v6wh-3pfp: IP Spoofing and Access Control Bypass via HTTP Header Injection in TsDProxy

Vulnerability ID: GHSA-PQG7-V6WH-3PFP
CVSS Score: 8.5
Published: 2026-07-14

A high-severity input sanitization and header injection vulnerability in TsDProxy allows authenticated Tailscale users to inject arbitrary values into the X-Forwarded-For and X-Real-IP HTTP headers. Because downstream backend services frequently trust these headers to resolve client identities, attackers can exploit this flaw to bypass IP-based access control lists, audit logs, and geo-blocking restrictions.

TL;DR

TsDProxy failed to sanitize client-provided 'X-Forwarded-For' and 'X-Real-IP' headers, enabling authenticated attackers to spoof their identity and bypass downstream IP-based administrative restrictions.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-74
  • Attack Vector: Network
  • CVSS v3.1: 8.5 (High)
  • Impact: Security Bypass / IP Spoofing
  • Exploit Status: poc
  • KEV Status: Not Listed

Affected Systems

  • TsDProxy
  • tsdproxy: < 3.0.0-alpha.3 (Fixed in: 3.0.0-alpha.3)

Code Analysis

Commit: e8200b7

fix: prevent X-Forwarded-For header spoofing

diff --git a/internal/consts/proxymanager.go b/internal/consts/proxymanager.go
index 66f2339..0331f2a 100644
--- a/internal/consts/proxymanager.go
+++ b/internal/consts/proxymanager.go
@@ -22,6 +22,12 @@ const (
    HeaderRealIP = "X-Real-IP"
+
+   HeaderXForwardedFor = "X-Forwarded-For"
 )
@@ -50,5 +56,6 @@ var TrustedProxyHeaders = []string{
    HeaderXForwardedEmail,
    HeaderXAuthRequestEmail,
    HeaderXForwardedPreferredUsername,
+   HeaderXForwardedFor,
    HeaderRealIP,
 }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade TsDProxy to safe version 3.0.0-alpha.3 or higher.
  • Configure downstream backends to ignore proxy-delivered IP headers from untrusted origins.
  • Enforce secondary authentication controls instead of relying purely on network-layer source IPs.

Remediation Steps:

  1. Identify all active deployments of tsdproxy inside your tailnets.
  2. Update the deployment manifests or Docker files to use version 3.0.0-alpha.3 or later.
  3. If using Nginx as backend, verify real_ip settings and ensure 'real_ip_recursive' is enabled.

References


Read the full report for GHSA-PQG7-V6WH-3PFP on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)