The caddy-geo-ip (aka GeoIP) middleware up to and including 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows malicious users to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
caddyserver caddy |