CVE-2025-48865
📋 TL;DR
CVE-2025-48865 is a vulnerability in Fabio HTTP/TCP router where clients can remove or manipulate X-Forwarded headers (except X-Forwarded-For) by exploiting hop-by-hop header behavior. This allows attackers to potentially bypass security controls or spoof request information that backend applications trust. Organizations using Fabio versions before 1.6.6 for routing traffic to applications are affected.
💻 Affected Systems
- Fabio
📦 What is this software?
Fabio by Fabiolb
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass authentication, authorization, or security filters by manipulating headers that backend applications rely on for trust decisions, potentially leading to unauthorized access to sensitive systems or data.
Likely Case
Attackers could spoof request origins, bypass IP-based restrictions, or manipulate application routing decisions by controlling X-Forwarded headers that backend applications use for security decisions.
If Mitigated
With proper network segmentation and backend application validation of all headers, the impact is limited to potential routing anomalies or logging inconsistencies.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP requests with Connection headers to remove hop-by-hop headers. No authentication is required to exploit this vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.6
Vendor Advisory: https://github.com/fabiolb/fabio/security/advisories/GHSA-q7p4-7xjv-j3wf
Restart Required: Yes
Instructions:
1. Download Fabio version 1.6.6 or later from GitHub releases. 2. Stop the current Fabio service. 3. Replace the Fabio binary with the patched version. 4. Restart the Fabio service. 5. Verify the version is 1.6.6 or higher.
🔧 Temporary Workarounds
Network Filtering
allImplement network-level filtering to block or sanitize Connection headers that attempt to remove X-Forwarded headers.
Backend Header Validation
allConfigure backend applications to validate or ignore X-Forwarded headers, or implement additional authentication mechanisms.
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block or sanitize Connection headers that attempt to remove X-Forwarded headers.
- Configure backend applications to not trust X-Forwarded headers for security decisions and implement alternative authentication/authorization mechanisms.
🔍 How to Verify
Check if Vulnerable:
Check if Fabio version is below 1.6.6. Test by sending an HTTP request with 'Connection: X-Forwarded-Host' header and observing if X-Forwarded-Host is removed from the request to backend.Check Version:
fabio -versionVerify Fix Applied:
After patching, verify version is 1.6.6 or higher. Test that sending 'Connection: X-Forwarded-Host' no longer removes the X-Forwarded-Host header from requests to backend applications.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with Connection headers containing X-Forwarded-* values
- Backend applications receiving requests with missing or unexpected X-Forwarded headers
Network Indicators:
- HTTP traffic with Connection headers attempting to remove X-Forwarded headers
- Unusual patterns in X-Forwarded header usage
SIEM Query:
http.request.headers.connection:*X-Forwarded* OR http.request.headers.x-forwarded-*:null