CVE-2025-48865

moderate-risk
Published 2025-05-30

Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should trust these headers, allowing HTTP clients to remove or modify them creates potential security vulnerabilities. Some of these custom headers can be removed and, in certain cases, manipulated. The attack relies on the behavior that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been patched in version 1.6.6.

Do I need to act?

-
0.17% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Fabio

Affected Vendors

Fabiolb

References (4)

Patch https://github.com/fabiolb/fabio/commit/fdaf1e966162e9dd3b347ffdd0647b39dc71a1a3
Release Notes https://github.com/fabiolb/fabio/releases/tag/v1.6.6
Exploit https://github.com/fabiolb/fabio/security/advisories/GHSA-q7p4-7xjv-j3wf
Exploit https://github.com/fabiolb/fabio/security/advisories/GHSA-q7p4-7xjv-j3wf
37
/ 100
moderate-risk
Severity 31/34 · Critical
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal