GHSA-7cqv-qcq2-r765: 1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-66508

1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers

Moderate severity GitHub Reviewed Published Dec 8, 2025 in 1Panel-dev/1Panel • Updated Dec 8, 2025

Package

gomod github.com/1Panel-dev/1Panel (Go)

Affected versions

< 2.0.14

gomod github.com/1Panel-dev/1Panel/agent (Go)

< 0.0.0-20251201063338-94f7d78cc976

0.0.0-20251201063338-94f7d78cc976

Summary

The server trusts all reverse-proxy headers by default, so any remote client can spoof X-Forwarded-For to bypass IP-based protections (AllowIPs, API IP whitelist, “localhost-only” checks). All IP-based access control becomes ineffective.

Details

• Gin is created with defaults (gin.Default()), which sets TrustedProxies = 0.0.0.0/0 and uses X-Forwarded-For/X-Real-IP to compute ClientIP().

• IP-based controls rely on ClientIP():

  • AllowIPs / BindDomain (core/middleware/ip_limit.go, core/utils/security/security.go).
  • API IP whitelist (core/middleware/api_auth.go).
  • “localhost-only” checks that depend on ClientIP().

• Because no trusted-proxy range is enforced, any client can send X-Forwarded-For: 127.0.0.1 (or a whitelisted IP) and be treated as coming from that address.

Impact

All IP-based access control is rendered ineffective: remote clients can masquerade as localhost or any whitelisted IP, defeating AllowIPs, API IP whitelists, and “localhost-only” protections.

References

• GHSA-7cqv-qcq2-r765
• 1Panel-dev/1Panel@94f7d78

Published to the GitHub Advisory Database

Dec 8, 2025