-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from improper IP validation in the request handling flow. The pre-patch code in gateway_route.go's GetRoute handler forwarded requests without sanitizing X-Forwarded-For headers. This allowed attackers to manipulate their perceived IP address to bypass authentication middleware (like ExceptLocalhost) that skipped JWT validation for localhost requests. The critical missing element was the rewriteRequestSourceIP() function added in the patch, which properly sanitizes headers and validates the remote IP before trusting X-Forwarded-For values. The anonymous handler function in GetRoute is identified as the vulnerable entry point because it directly handled incoming requests without these protections.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/IceWhaleTech/CasaOS-Gateway | go | < 0.4.4 | 0.4.4 |
GoGoKEV Misses 88% of Exploited CVEs- Get the report