Mega-Fence Client IP Spoofing Vulnerability via Unvalidated X-Forwarded-For Header

A vulnerability exists in Mega-Fence (webgate-lib.*) versions through 25.1.914, where the application improperly trusts the first value of the X-Forwarded-For (XFF) header as the client IP. This trust is granted without validating the authenticity of the proxy chain, allowing remote, unauthenticated attackers to spoof client IP addresses. The spoofed IP is then propagated to security-sensitive states, such as the WG_CLIENT_IP cookie. This vulnerability can bypass IP allowlists and other access controls that rely on the accuracy of the client IP.

Impact

Exploitation of this vulnerability can lead to unauthorized access by bypassing IP-based allowlists and administrative restrictions. It can also disrupt auditing processes and evade rate limiting or abuse detection mechanisms, depending on the specific deployment and how the client IP is used.

Reproduction

To reproduce this vulnerability, send an HTTP request to a Mega-Fence application with a crafted X-Forwarded-For header that includes a spoofed IP address. The application will accept this value without validation and set the WG_CLIENT_IP cookie accordingly.

Remediation

To address this vulnerability, Mega-Fence deployments should only trust X-Forwarded-For headers from requests where the REMOTE_ADDR is within a configured trusted proxy CIDR range. It is also recommended to establish a clear precedence order for multiple IP-related headers and to default to ignoring client-supplied IP headers unless explicitly enabled and documented.