CVE-2025-51663
📋 TL;DR
This vulnerability allows remote attackers to bypass IP-based rate limiting in FileCodeBox by spoofing X-Real-IP and X-Forwarded-For HTTP headers. Attackers can perform denial-of-service attacks or brute-force share codes without restriction. All users of FileCodeBox up to version 2.2 are affected.
💻 Affected Systems
- FileCodeBox
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption through DoS attacks, unauthorized access to shared files via brute-force attacks, and potential data exfiltration.
Likely Case
Service degradation due to resource exhaustion attacks, successful brute-force attacks against share codes leading to unauthorized file access.
If Mitigated
Limited impact with proper network controls and header validation, but still vulnerable to determined attackers.
🎯 Exploit Status
Exploitation requires only HTTP request manipulation with common tools like curl or Burp Suite.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3 or later
Vendor Advisory: https://github.com/vastsa/FileCodeBox/issues/350
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Stop FileCodeBox service. 3. Update to version 2.3 or later from GitHub releases. 4. Restart FileCodeBox service. 5. Verify functionality.
🔧 Temporary Workarounds
Reverse Proxy Header Validation
allConfigure reverse proxy (nginx, Apache) to strip or validate X-Real-IP and X-Forwarded-For headers before reaching FileCodeBox.
# nginx example: proxy_set_header X-Real-IP $remote_addr;
# Apache example: RequestHeader unset X-Forwarded-For
Network-Level Rate Limiting
allImplement rate limiting at network perimeter (firewall, WAF) to supplement application controls.
🧯 If You Can't Patch
- Isolate FileCodeBox behind a WAF with strict header validation and rate limiting rules.
- Monitor for unusual request patterns and implement aggressive IP blocking for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Send HTTP requests with spoofed X-Real-IP headers and observe if rate limits are bypassed.Check Version:
Check FileCodeBox web interface or configuration files for version number.Verify Fix Applied:
Attempt same spoofing attacks after patch - rate limits should be enforced regardless of header values.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login/share attempts from same IP with varying X-Forwarded-For headers
- Unusual request patterns bypassing rate limits
Network Indicators:
- HTTP requests with manipulated X-Real-IP/X-Forwarded-For headers
- High volume of requests from single source IP
SIEM Query:
source="filecodebox.log" AND ("X-Real-IP" OR "X-Forwarded-For") AND status=429 | stats count by src_ip