CVE-2026-45045 in Fiberinfo

Summary

by MITRE • 07/08/2026

Fiber is an Express inspired web framework written in Go. Prior to 3.3.0 and 2.52.14, the BalancerForward proxy helper in middleware/proxy/proxy.go uses Header.Add() instead of Header.Set() when injecting X-Real-IP, allowing an attacker-supplied first X-Real-IP value to be forwarded to upstream servers for logging, rate limiting, and access control. This issue is fixed in version 3.3.0 and 2.52.14.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability exists within the Fiber web framework's proxy middleware implementation where the BalancerForward helper function incorrectly utilizes Header.Add() instead of Header.Set() when processing the X-Real-IP header. This flaw affects versions prior to 3.3.0 and 2.52.14, creating a security vector that allows malicious actors to manipulate upstream server configurations through crafted HTTP requests. The issue stems from the fundamental difference between these two header manipulation methods where Add() appends values to existing headers while Set() replaces them entirely, leading to unexpected behavior in header processing.

This vulnerability represents a classic case of improper input handling and header manipulation that falls under CWE-1286, which addresses issues related to incorrect use of APIs. The flaw enables attackers to inject malicious X-Real-IP values that get forwarded to upstream servers, potentially compromising logging systems, rate limiting mechanisms, and access control configurations. When Header.Add() is used instead of Header.Set(), multiple X-Real-IP headers can accumulate in the request, with the first value being preserved while subsequent ones are appended, creating a situation where attacker-controlled data overrides legitimate server identity information.

The operational impact of this vulnerability extends beyond simple header manipulation as it affects critical security controls within distributed web architectures. Upstream servers that rely on X-Real-IP for logging purposes may record malicious IP addresses instead of actual client addresses, leading to compromised audit trails and forensic investigations. Additionally, rate limiting systems that use X-Real-IP for identifying clients could be bypassed or manipulated, allowing attackers to circumvent traffic restrictions and potentially launch DoS attacks against legitimate services. Access control mechanisms that depend on accurate IP address information may also be compromised, enabling unauthorized access to restricted resources.

From an adversarial perspective, this vulnerability aligns with techniques described in the ATT&CK framework under T1071.004 for application layer protocol manipulation and T1566 for phishing attacks that leverage web application flaws. Attackers can exploit this weakness by crafting HTTP requests with malicious X-Real-IP values, potentially masking their true location while appearing to originate from trusted sources. The vulnerability creates a pathway for attackers to manipulate server-side security decisions based on false client identity information.

The fix implemented in versions 3.3.0 and 2.52.14 addresses this issue by changing the header manipulation method from Header.Add() to Header.Set(), ensuring that only a single X-Real-IP value is preserved in the forwarded request. This change eliminates the possibility of header accumulation while maintaining the intended functionality of the proxy middleware. Organizations using affected versions should prioritize immediate patching and monitor upstream server logs for any anomalies that may have occurred during the vulnerable period. The remediation approach directly addresses the root cause identified in CWE-1286 by ensuring proper API usage patterns are maintained throughout the application's header processing pipeline.

Responsible

GitHub M

Reservation

05/08/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!