GHSA-pqg7-v6wh-3pfp: IP Spoofing and Access Control Bypass via HTTP Header Injection in TsDProxy
Vulnerability ID: GHSA-PQG7-V6WH-3PFP
CVSS Score: 8.5
Published: 2026-07-14
A high-severity input sanitization and header injection vulnerability in TsDProxy allows authenticated Tailscale users to inject arbitrary values into the X-Forwarded-For and X-Real-IP HTTP headers. Because downstream backend services frequently trust these headers to resolve client identities, attackers can exploit this flaw to bypass IP-based access control lists, audit logs, and geo-blocking restrictions.
TL;DR
TsDProxy failed to sanitize client-provided 'X-Forwarded-For' and 'X-Real-IP' headers, enabling authenticated attackers to spoof their identity and bypass downstream IP-based administrative restrictions.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-74
- Attack Vector: Network
- CVSS v3.1: 8.5 (High)
- Impact: Security Bypass / IP Spoofing
- Exploit Status: poc
- KEV Status: Not Listed
Affected Systems
- TsDProxy
-
tsdproxy: < 3.0.0-alpha.3 (Fixed in:
3.0.0-alpha.3)
Code Analysis
Commit: e8200b7
fix: prevent X-Forwarded-For header spoofing
diff --git a/internal/consts/proxymanager.go b/internal/consts/proxymanager.go
index 66f2339..0331f2a 100644
--- a/internal/consts/proxymanager.go
+++ b/internal/consts/proxymanager.go
@@ -22,6 +22,12 @@ const (
HeaderRealIP = "X-Real-IP"
+
+ HeaderXForwardedFor = "X-Forwarded-For"
)
@@ -50,5 +56,6 @@ var TrustedProxyHeaders = []string{
HeaderXForwardedEmail,
HeaderXAuthRequestEmail,
HeaderXForwardedPreferredUsername,
+ HeaderXForwardedFor,
HeaderRealIP,
}
Mitigation Strategies
- Upgrade TsDProxy to safe version 3.0.0-alpha.3 or higher.
- Configure downstream backends to ignore proxy-delivered IP headers from untrusted origins.
- Enforce secondary authentication controls instead of relying purely on network-layer source IPs.
Remediation Steps:
- Identify all active deployments of tsdproxy inside your tailnets.
- Update the deployment manifests or Docker files to use version 3.0.0-alpha.3 or later.
- If using Nginx as backend, verify real_ip settings and ensure 'real_ip_recursive' is enabled.
References
Read the full report for GHSA-PQG7-V6WH-3PFP on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)