CVE-2025-48865: Fabio allows HTTP clients to manipulate custom headers it adds

May 29, 2025 (updated May 30, 2025)

Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers.

Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should trust these headers, allowing HTTP clients to remove or modify them creates potential security vulnerabilities.

However, it was found that some of these custom headers can indeed be removed and, in certain cases, manipulated. The attack relies on the behavior that headers can be defined as hop-by-hop via the HTTP Connection header. By setting the following connection header, the X-Forwarded-Host header can, for example, be removed:

Connection: close, X-Forwarded-Host

Similar critical vulnerabilities have been identified in other web servers and proxies, including CVE-2022-31813 in Apache HTTP Server and CVE-2024-45410 in Traefik.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-48865 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →