Description
Versions of the package github.com/gin-gonic/gin before 1.9.0 are vulnerable to Improper Input Validation by allowing an attacker to use a specially crafted request via the X-Forwarded-Prefix header, potentially leading to cache poisoning. **Note:** Although this issue does not pose a significant threat on its own it can serve as an input vector for other more impactful vulnerabilities. However, successful exploitation may depend on the server configuration and whether the header is used in the application logic.
References (5)
Core 5
Core References
Exploit, Patch
https://github.com/gin-gonic/gin/pull/3500
Issue Tracking, Patch
https://github.com/gin-gonic/gin/pull/3503
Release Notes
https://github.com/gin-gonic/gin/releases/tag/v1.9.0
Exploit, Patch, Third Party Advisory
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-3324285
Scores
CVSS v3
5.6
EPSS
0.0091
EPSS Percentile
55.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-20
CWE-77
Status
published
Products (2)
gin-gonic/gin
< 1.9.0
gin-gonic/gin
0 - 1.9.0Go
Published
May 04, 2023
Tracked Since
Feb 18, 2026