6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-pq96-pwvg-vrr9

GHSA-pq96-pwvg-vrr9: frp has an authentication bypass in HTTP vhost routing when routeByHTTPUser is used for access control

Summary

frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses credentials from the regular Authorization header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected routeByHTTPUser value may access a backend protected by httpUser / httpPassword even with an incorrect Proxy-Authorization password.

This issue affects deployments that explicitly use routeByHTTPUser. It does not affect ordinary HTTP proxies that do not use this feature.

Details

The issue is in pkg/util/vhost/http.go.

In proxy-style requests using an absolute URI, the routing path extracts the username from Proxy-Authorization and stores it as the request HTTPUser, which is then used for routeByHTTPUser route selection.

More specifically, injectRequestInfoToCtx() derives the routing user from Proxy-Authorization, while the original ServeHTTP() implementation used req.BasicAuth() for the authentication check.

Because routing and authentication use different credential sources, a request can be routed to a protected backend based on the Proxy-Authorization username while the authentication check is not performed against the same credentials. This creates an authentication bypass when routeByHTTPUser, httpUser, and httpPassword are used together.

This is not a universal anonymous bypass for all frp HTTP proxies; it is specific to deployments that use routeByHTTPUser and where the target user value is known or can be inferred.

A minimal fix is to make the authentication check in proxy mode use the same credential source as route selection, i.e. to derive proxy-mode credentials from Proxy-Authorization consistently.

From local Git history analysis, this logic appears to have been introduced by commit 4af85da0c2c6eb981142a8fdb44f885d26cb9d08, with the earliest containing release tag appearing to be v0.43.0.

PoC

I reproduced the issue with the official frp_0.68.0_linux_amd64.tar.gz release binaries both locally and on an internet-reachable test server under my control.

Minimal setup:

frps exposes an HTTP vhost entrypoint.
One HTTP proxy is configured with:
- customDomains = ["example.test"]
- routeByHTTPUser = "alice"
- httpUser = "alice"
- httpPassword = "secret"
The protected backend returns a constant marker string: PRIVATE.

Minimal request flow:

Direct unauthenticated request:
- curl -i --proxy '' -H 'Host: example.test' http://<FRPS_HOST>:<VHOST_HTTP_PORT>/
- Result: 404 Not Found
Direct request with correct backend credentials:
- curl -i --proxy '' -u alice:secret -H 'Host: example.test' http://<FRPS_HOST>:<VHOST_HTTP_PORT>/
- Result: 200 OK, body contains PRIVATE
Proxy-style request with incorrect Proxy-Authorization:
- curl -i --noproxy '' -x http://<FRPS_HOST>:<VHOST_HTTP_PORT> --proxy-user alice:wrong http://example.test/
- Result: 200 OK, body contains PRIVATE

Observed minimal result summary:

DIRECT_NOAUTH -> 404
DIRECT_BASICAUTH_GOOD -> 200 PRIVATE
PROXY_PROXYAUTH_WRONGPASS -> 200 PRIVATE

This was reproduced against the official binary, not only against a local source build.

Impact

This is an authentication bypass leading to unauthorized access to a protected backend.

The practical impact depends on what service is behind the protected route. Examples include private application endpoints, internal administration panels, loopback-only local services, or development and operations interfaces.

Important boundary: if the protected backend is an frpc admin API that is separately protected by its own webServer.user / webServer.password, this issue only bypasses the outer vhost restriction and does not automatically bypass the inner admin authentication. In that case, the request may still reach the backend but correctly receive 401 Unauthorized from the inner layer.

There is also a deployment-specific downstream impact path. If the bypassed backend is an frpc admin API without separate inner authentication, and if that frpc instance permits store-based proxy management, an attacker may be able to create additional plugin-based proxies through the admin API. In deployments where a unix_domain_socket proxy can be used to expose Docker's Unix socket, this may further expose the Docker API and potentially enable host-level command execution through Docker. This follow-on consequence depends on multiple additional deployment conditions and should be treated as a conditional downstream impact rather than the core vulnerability itself.

Because exploitation requires a deployment to explicitly use routeByHTTPUser, and because the attacker must know or be able to guess the target routeByHTTPUser value, the issue is better classified as a configuration-dependent authentication bypass rather than a default-configuration issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-pq96-pwvg-vrr9

GHSA-pq96-pwvg-vrr9:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/fatedier/frp	go	>= 0.43.0, <= 0.68.0	0.68.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an authentication bypass in frp's HTTP vhost routing, occurring when routeByHTTPUser is used for access control. The root cause is a discrepancy between the credential sources used for routing and authentication in proxy-style requests.

The analysis of the patch commit a9a4416ecf20a1d90515cbc366c006db0db5b5fa reveals the flaw. In vulnerable versions, the vhost.HTTPReverseProxy.ServeHTTP function would orchestrate the request handling. For routing, it would call injectRequestInfoToCtx, which correctly extracted the username from the Proxy-Authorization header to select the backend based on routeByHTTPUser. However, for authentication, ServeHTTP would extract credentials from the standard Authorization header using req.BasicAuth() and pass them to the CheckAuth function.

This created a bypass: an attacker could send a proxy-style request with a known routeByHTTPUser value in the Proxy-Authorization header (e.g., Proxy-Authorization: Basic YWxpY2U6d3Jvbmc=, where 'alice' is the user) to be routed to the correct protected backend. Since the authentication check in CheckAuth only looked at the Authorization header, which could be absent or contain incorrect credentials, the check would be bypassed, granting unauthorized access.

The patch resolves this by removing the CheckAuth function and introducing a new function, checkRouteAuthByRequest. This new function is aware of the request type. For proxy-style requests (req.URL.Host != ""), it now correctly validates credentials from the Proxy-Authorization header. The ServeHTTP function is updated to use this new, context-aware authentication logic, thus closing the bypass.

Vulnerable functions

vhost.HTTPReverseProxy.ServeHTTP

pkg/util/vhost/http.go

This is the main request handling function. The vulnerability lies in its original implementation where it performed an authentication check using credentials from the `Authorization` header (`req.BasicAuth()`) via the `CheckAuth` function. However, for proxy-style requests, the routing decision was based on the username from the `Proxy-Authorization` header (handled in `injectRequestInfoToCtx`). This discrepancy allowed an attacker to specify a target user in `Proxy-Authorization` to get routed to a protected backend, while bypassing the authentication check which was looking at a different header.

vhost.HTTPReverseProxy.CheckAuth

pkg/util/vhost/http.go

This function, which was removed by the patch, contained the flawed authentication logic. It was called by `ServeHTTP` and only validated the credentials passed to it, which were sourced from the `Authorization` header. It was completely unaware of proxy-style requests and the `Proxy-Authorization` header, making it the component that failed to correctly authenticate the request, leading to the bypass.

vhost.HTTPReverseProxy.injectRequestInfoToCtx

pkg/util/vhost/http.go

This function was responsible for determining the user for routing purposes when `routeByHTTPUser` was configured. It correctly extracted the username from the `Proxy-Authorization` header for proxy-style requests. While not vulnerable in isolation, its behavior of selecting a user for routing that was different from the user being authenticated by `CheckAuth` was a critical part of the vulnerability chain.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.