CVE-2026-55501 in 9router情報

要約

〜によって MITRE • 2026年07月10日

9Router is an AI router & token saver. Prior to 0.4.80, the dashboard login rate limiter in src/lib/auth/loginLimiter.js derives the client identity from the attacker-controlled X-Forwarded-For HTTP header, and src/app/api/auth/login/route.js uses that spoofable value for checkLock and recordFail. A remote attacker can rotate the X-Forwarded-For value on each login attempt to receive a fresh rate-limit bucket, bypass the 5-attempt threshold and progressive lockout durations, and perform unlimited brute-force attempts against the dashboard password. This issue is fixed in version 0.4.80.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

責任者

GitHub M

予約する

2026年06月17日

モデレーション

承諾済み

エントリ

VDB-377523

EPSS

0.00000

アクティビティ

非常低い

ソース

Want to stay up to date on a daily basis?

Enable the mail alert feature now!