Login Sign Up

CVE-2023-45132

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass NAXSI web application firewall protection when malicious X-Forwarded-For headers match IgnoreIP or IgnoreCIDR rules. It affects NAXSI WAF installations running versions 1.3 through 1.5.9. Attackers can potentially bypass security controls and execute attacks that would normally be blocked.

💻 Affected Systems

Products:
  • NAXSI Web Application Firewall
Versions: 1.3 through 1.5.9
Operating Systems: Linux, Unix systems running NGINX
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when IgnoreIP or IgnoreCIDR rules are configured. Systems without these rules configured are not affected.

📦 What is this software?

Naxsi by Wargio

View all CVEs affecting Naxsi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete WAF bypass allowing SQL injection, XSS, command injection, and other web attacks to reach backend applications undetected.

🟠

Likely Case

Partial WAF bypass enabling attackers to evade specific security rules and deliver payloads that would normally be blocked.

🟢

If Mitigated

Minimal impact if proper network segmentation and additional security controls are in place behind the WAF.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted X-Forwarded-For headers that match configured IgnoreIP/IgnoreCIDR rules.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6

Vendor Advisory: https://github.com/wargio/naxsi/security/advisories/GHSA-7qjc-q4j9-pc8x

Restart Required: Yes

Instructions:

1. Backup current NAXSI configuration. 2. Update NAXSI to version 1.6 or later. 3. Restart NGINX service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Remove IgnoreIP/IgnoreCIDR rules

linux

Temporarily remove or comment out all IgnoreIP and IgnoreCIDR rules from NAXSI configuration files.

# Edit naxsi configuration files and remove lines containing IgnoreIP or IgnoreCIDR
# Restart NGINX: sudo systemctl restart nginx

🧯 If You Can't Patch

  • Implement network-level controls to restrict access to the WAF from untrusted sources
  • Deploy additional security monitoring for suspicious X-Forwarded-For header patterns

🔍 How to Verify

Check if Vulnerable:

Check NAXSI version and verify if IgnoreIP/IgnoreCIDR rules are configured in naxsi configuration files.

Check Version:

grep -r 'naxsi' /etc/nginx/ | grep -i version || check NAXSI source installation directory

Verify Fix Applied:

Verify NAXSI version is 1.6 or later and test with crafted X-Forwarded-For headers that previously matched Ignore rules.

📡 Detection & Monitoring

Log Indicators:

  • Multiple X-Forwarded-For headers in requests
  • Requests with X-Forwarded-For values matching internal IP ranges
  • Unusual bypass of normally blocked request patterns

Network Indicators:

  • HTTP requests with manipulated X-Forwarded-For headers
  • Traffic patterns showing successful WAF bypass

SIEM Query:

source="nginx" AND "X-Forwarded-For" AND ("IgnoreIP" OR "IgnoreCIDR")

📊 Metadata

CVE ID: CVE-2023-45132
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-693
Published: October 11, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45132, you might also want to check these:

CVE-2023-31273 10.0

This vulnerability in Intel Data Center Manager (DCM) software allows unauthenticated attackers to b...

Same vulnerability type (CWE-693)
CVE-2021-32835 9.9

CVE-2021-32835 is a sandbox escape vulnerability in Eclipse Keti that allows authenticated attackers...

Same vulnerability type (CWE-693)
CVE-2025-68668 9.9

This CVE describes a sandbox bypass vulnerability in n8n's Python Code Node that allows authenticate...

Same vulnerability type (CWE-693)