CVE-2025-48865P3CRITICALCVSS 9.8≥ 0, < 1.6.62025-05-29
CVE-2025-48865 [CRITICAL] CWE-345 Fabio allows HTTP clients to manipulate custom headers it adds
Fabio allows HTTP clients to manipulate custom headers it adds
### Summary
Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers.
Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should trust these headers, allowing HTTP
ghsaosv