Advisories for Golang/Github.com/Go-Chi/Chi/V2/Middleware package

2026

chi's RealIP Middleware allows IP spoofing via unvalidated X-Forwarded-For header

realip middleware in go-chi/chi trusts headers like x-forwarded-for without checking them, so attackers can fake their ip and bypass rate limits or access controls

chi Middleware Vulnerable to Potential IP Spoofing via `X-Forwarded-For` Header in `Request.RemoteAddr` Resolution

The vulnerability allows the Request.RemoteAddr to be spoofed when determining the request source IP via the X-Forwarded-For header. This could result in misidentification of the request source and potentially compromise access control and logging integrity.