CVE-2023-50463
MEDIUMCaddy < 0.6.0 - Authentication Bypass via X-Forwarded-For Header Spoofing
Title source: llmDescription
The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).
References (3)
Core 3
Core References
Broken Link
https://caddyserver.com/v2
Third Party Advisory
https://github.com/shift72/caddy-geo-ip/issues/4
Release Notes
https://github.com/shift72/caddy-geo-ip/tags
Scores
CVSS v3
6.5
EPSS
0.0066
EPSS Percentile
46.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Details
CWE
CWE-290
Status
published
Products (2)
caddyserver/caddy
< 0.6.0
shift72/caddy-geo-ip
0Go
Published
Dec 10, 2023
Tracked Since
Feb 18, 2026