cbcvebase.
CVE-2025-66508
published 2025-12-09

CVE-2025-66508: 1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.14 and below use Gin's default configuration which trusts all IP…

PriorityP341medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.20%
9.5th percentile
1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.14 and below use Gin's default configuration which trusts all IP addresses as proxies (TrustedProxies = 0.0.0.0/0), allowing any client to spoof the X-Forwarded-For header. Since all IP-based access controls (AllowIPs, API whitelists, localhost-only checks) rely on ClientIP(), attackers can bypass these protections by simply sending X-Forwarded-For: 127.0.0.1 or any whitelisted IP. This renders all IP-based security controls ineffective. This issue is fixed in version 2.0.14.

Affected

5 ranges
VendorProductVersion rangeFixed in
1panel-dev1panel< 2.0.142.0.14
fit2cloud1panel< 2.0.142.0.14
github.com1panel-dev_1panel>= 0 < 2.0.142.0.14
github.com1panel-dev_1panel>= 0 < 2.0.14+incompatible2.0.14+incompatible
github.com1panel-dev_1panel_agent>= 0 < 0.0.0-20251201063338-94f7d78cc9760.0.0-20251201063338-94f7d78cc976
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.