EXECUTIVE SUMMARY:
CVE-2026-45045 with a CVSS score of 5.3 is a medium‑severity header injection flaw in the GoFiber web framework’s BalancerForward proxy helper that improperly uses Header.Add() to insert the X-Real-IP header, causing the real client IP to be appended rather than replacing any attacker‑supplied value. The vulnerability affects go/github.com/gofiber/fiber/v3 versions up to 3.2.0 and go/github.com/gofiber/fiber/v2 versions up to 2.52.13. An attacker can craft an HTTP request that includes a malicious X-Real-IP header (e.g., 10.0.0.1) and send it through a GoFiber‑based reverse‑proxy; the proxy then appends the true source IP, resulting in two X-Real-IP entries where upstream servers typically read the first value. Exploitation requires only network access to the vulnerable proxy and the ability to set custom headers. Successful exploitation enables the attacker to bypass IP‑based rate limiting, access‑control lists, geofencing, and to poison audit logs by forcing the upstream to trust the spoofed IP. The business impact includes unlimited request abuse, unauthorized access to internal admin interfaces, inaccurate security monitoring, and potential compliance violations, especially when IP‑based policies are critical to the organization’s security posture.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45045 with a CVSS score of 5.3 is a medium‑severity header injection flaw in the GoFiber web framework’s BalancerForward proxy helper that improperly uses Header.Add() to insert the X-Real-IP header, causing the real client IP to be appended rather than replacing any attacker‑supplied value. The vulnerability affects go/github.com/gofiber/fiber/v3 versions up to 3.2.0 and go/github.com/gofiber/fiber/v2 versions up to 2.52.13. An attacker can craft an HTTP request that includes a malicious X-Real-IP header (e.g., 10.0.0.1) and send it through a GoFiber‑based reverse‑proxy; the proxy then appends the true source IP, resulting in two X-Real-IP entries where upstream servers typically read the first value. Exploitation requires only network access to the vulnerable proxy and the ability to set custom headers. Successful exploitation enables the attacker to bypass IP‑based rate limiting, access‑control lists, geofencing, and to poison audit logs by forcing the upstream to trust the spoofed IP. The business impact includes unlimited request abuse, unauthorized access to internal admin interfaces, inaccurate security monitoring, and potential compliance violations, especially when IP‑based policies are critical to the organization’s security posture.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-gcfq-8gqf-4876