CVE-2025-66508
published 2025-12-09CVE-2025-66508: 1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.14 and below use Gin's default configuration which trusts all IP…
PriorityP341medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.20%
9.5th percentile
1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.14 and below use Gin's default configuration which trusts all IP addresses as proxies (TrustedProxies = 0.0.0.0/0), allowing any client to spoof the X-Forwarded-For header. Since all IP-based access controls (AllowIPs, API whitelists, localhost-only checks) rely on ClientIP(), attackers can bypass these protections by simply sending X-Forwarded-For: 127.0.0.1 or any whitelisted IP. This renders all IP-based security controls ineffective. This issue is fixed in version 2.0.14.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 1panel-dev | 1panel | < 2.0.14 | 2.0.14 |
| fit2cloud | 1panel | < 2.0.14 | 2.0.14 |
| github.com | 1panel-dev_1panel | >= 0 < 2.0.14 | 2.0.14 |
| github.com | 1panel-dev_1panel | >= 0 < 2.0.14+incompatible | 2.0.14+incompatible |
| github.com | 1panel-dev_1panel_agent | >= 0 < 0.0.0-20251201063338-94f7d78cc976 | 0.0.0-20251201063338-94f7d78cc976 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers in github.com/1Panel-dev/1Panel
osv·2025-12-15
CVE-2025-66508 1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers in github.com/1Panel-dev/1Panel
1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers in github.com/1Panel-dev/1Panel
1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers in github.com/1Panel-dev/1Panel
OSV
1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers
osv·2025-12-08
CVE-2025-66508 [MEDIUM] 1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers
1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers
### Summary
The server trusts all reverse-proxy headers by default, so any remote client can spoof `X-Forwarded-For` to bypass IP-based protections (AllowIPs, API IP whitelist, “localhost-only” checks). All IP-based access control becomes ineffective.
### Details
- Gin is created with defaults (`gin.Default()`), which sets `TrustedProxies = 0.0.0.0/0` and uses `X-Forwarded-For`/`X-Real-IP` to compute `ClientIP()`.
- IP-based controls rely on `ClientIP()`:
- AllowIPs / BindDomain (core/middleware/ip_limit.go, core/utils/security/security.go).
- API IP whitelist (core/middleware/api_auth.go).
- "localhost-only" checks that depend on `ClientIP()`.
- Because no trusted-proxy range is enforced, any client can send `X-Forw
GHSA
1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers
ghsa·2025-12-08
CVE-2025-66508 [MEDIUM] CWE-290 1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers
1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers
### Summary
The server trusts all reverse-proxy headers by default, so any remote client can spoof `X-Forwarded-For` to bypass IP-based protections (AllowIPs, API IP whitelist, “localhost-only” checks). All IP-based access control becomes ineffective.
### Details
- Gin is created with defaults (`gin.Default()`), which sets `TrustedProxies = 0.0.0.0/0` and uses `X-Forwarded-For`/`X-Real-IP` to compute `ClientIP()`.
- IP-based controls rely on `ClientIP()`:
- AllowIPs / BindDomain (core/middleware/ip_limit.go, core/utils/security/security.go).
- API IP whitelist (core/middleware/api_auth.go).
- "localhost-only" checks that depend on `ClientIP()`.
- Because no trusted-proxy range is enforced, any client can send `X-Forw
No detection rules found.
No public exploits indexed.
2025-12-09
Published