CVE-2025-48865

Description

Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should trust these headers, allowing HTTP clients to remove or modify them creates potential security vulnerabilities. Some of these custom headers can be removed and, in certain cases, manipulated. The attack relies on the behavior that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been patched in version 1.6.6.

CVSS v3.1 Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Weakness Type (CWE)

CWE-345 CWE-345

CWE-348 CWE-348

Affected Products

Vendor	Product	Versions
fabiolb	fabio	< 1.6.6

References

Advisories & Patches

https://github.com/fabiolb/fabio/commit/fdaf1e966162e9dd3b347ffdd0647b39dc71a1a3 https://github.com/fabiolb/fabio/security/advisories/GHSA-q7p4-7xjv-j3wf https://github.com/fabiolb/fabio/security/advisories/GHSA-q7p4-7xjv-j3wf

Exploits

https://github.com/fabiolb/fabio/security/advisories/GHSA-q7p4-7xjv-j3wf https://github.com/fabiolb/fabio/security/advisories/GHSA-q7p4-7xjv-j3wf

Other References

https://github.com/fabiolb/fabio/releases/tag/v1.6.6

Frequently Asked Questions

What is CVE-2025-48865? +

Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should trust these headers, allowing HTTP clients to remove or modify them creates potential security vulnerabilities. Some of these custom headers can be removed and, in certain cases, manipulated. The attack relies on the behavior that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been patched in version 1.6.6. It has a CVSS v3.1 base score of 9.1 (CRITICAL).

How severe is CVE-2025-48865? +

CVE-2025-48865 has a CVSS v3.1 score of 9.1 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately.

What products are affected by CVE-2025-48865? +

CVE-2025-48865 affects products from fabiolb, specifically: fabio. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2025-48865? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-47202

Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated …

CVE-2026-42206

Roadiz is a polymorphic content management system based on a node system. Prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18, …

CVE-2025-21606

stats is a macOS system monitor in for the menu bar. The Stats application is vulnerable to a local privilege …

CVE-2025-25188

Hickory DNS is a Rust based DNS client, server, and resolver. A vulnerability present starting in version 0.8.0 and prior …

CVE-2025-52484

RISC Zero is a general computing platform based on zk-STARKs and the RISC-V microarchitecture. Due to a missing constraint in …

CVE-2025-59160

Matrix JavaScript SDK is a Matrix Client-Server SDK for JavaScript and TypeScript. matrix-js-sdk before 38.2.0 has insufficient validation of room …