VDB
KO
MEDIUM 5.3

GHSA-gcfq-8gqf-4876

GoFiber Vulnerable to X-Real-IP Spoofing via Header.Add() in BalancerForward

Details

## Summary

The `BalancerForward` proxy helper in GoFiber uses `Header.Add()` instead of `Header.Set()` when injecting the `X-Real-IP` header. This appends the real client IP as a second header value rather than replacing any attacker-supplied value. Upstream servers that read the first `X-Real-IP` header (nginx, Express, most HTTP servers) use the attacker's spoofed IP for logging, rate limiting, and access control.

## Vulnerable Code

**File:** `middleware/proxy/proxy.go`, lines 270-285

```go func BalancerForward(servers []string, clients ...*fasthttp.Client) fiber.Handler { r := &roundrobin{ current: 0, pool: servers, } return func(c fiber.Ctx) error { server := r.get() if !strings.HasPrefix(server, "http") { server = "http://" + server } c.Request().Header.Add("X-Real-IP", c.IP()) // line 282: Add, not Set return Do(c, server+c.OriginalURL(), clients...) } } ```

## Data Flow

1. Attacker sends request with `X-Real-IP: 10.0.0.1` (spoofed internal IP) 2. `BalancerForward` handler executes at line 282 3. `c.Request().Header.Add("X-Real-IP", c.IP())` APPENDS the real IP as a second header 4. Upstream server receives: `X-Real-IP: 10.0.0.1` AND `X-Real-IP: <real-attacker-ip>` 5. Most HTTP servers (nginx, Node.js, Apache) read the FIRST value 6. Upstream uses `10.0.0.1` for all IP-dependent logic

## Impact

- **Rate limit bypass:** IP-based rate limiting at the upstream uses the spoofed IP, allowing unlimited requests - **IP ACL bypass:** Internal IP allowlists (e.g., admin panels restricted to `10.0.0.0/8`) can be bypassed - **Audit log poisoning:** Security logs record the spoofed IP, making incident investigation unreliable - **Geolocation bypass:** IP-based geofencing or region restrictions are circumvented

## Fix

Replace `Header.Add()` with `Header.Set()` at line 282:

```go c.Request().Header.Set("X-Real-IP", c.IP()) ```

`Header.Set()` replaces any existing header value, ensuring only the real client IP is forwarded.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/gofiber/fiber/v3
Introduced in: 0 Fixed in: 3.3.0
Fix go get github.com/gofiber/fiber/v3@v3.3.0
Go / github.com/gofiber/fiber/v2
Introduced in: 0

No fixed version published yet for github.com/gofiber/fiber/v2 (go modules). Pin to a known-safe version or switch to an alternative.

References