Technologyglobal✓ verified · 90%

Heimdall: Forwarded Header Injection via Unsanitized Host Header in Proxy Mode

Name: Heimdall: Forwarded Header Injection via Unsanitized Host Header in Proxy Mode
Start: 2026-06-18T14:24:41Z
Location: Global (internet)

When: 2026-06-18 14:24 UTC
Where: Global (internet)
Category: cyber_advisory · go

### Summary When Heimdall operates in proxy mode, it constructs the `Forwarded` HTTP header after executing the matched rule pipeline by inserting the incoming request's `Host` header value directly into the header string without sanitizing commas or semicolons. This allows an attacker to inject additional parameters into the `Forwarded` header, potentially spoofing IP addresses for upstream services. ### Vulnerable Code **File: `proxy/request_context.go` (line 201)** ```go entry := "for=" + clientIP + ";host=" + in.Host + ";proto=" + proto ``` Go's `net/http` allows commas and semicolons in Host header values. No sanitization is applied before string concatenation. ### PoC ```bash # Inject a spoofed IP into the Forwarded header curl -s -H "Host: evil.com,for=127.0.0.1" \ "http://TARGET:PORT/protected-resource" ``` This produces the following `Forwarded` header sent to the upstream service: ``` Forwarded: for=1.2.3.4;host=evil.com, for=127.0.0.1;proto=http ``` Upstream services that parse the `Forwarded` header according to RFC 7239 will see two entries. If the service trusts the last or any `for=` value, the attacker successfully spoofs `127.0.0.1` as the client IP. ```bash # More targeted attack: spoof to bypass IP allowlist curl -s -H "Host: legit.com;for=10.0.0.1;proto=https,for=192.168.1.1" \ "http://TARGET:PORT/admin-panel" ``` ### Impact - **IP spoofing:** Upstream services behind Heimdall may trust the injected `for=` value, believing the request originates from an internal/trusted IP - **Access control bypass:** Applications that restrict access based on IP address by themselves, without using the corresponding heimdall capabilities (e.g., admin panels, internal APIs), can be bypassed - **Affects all proxy-mode deployments** where upstream services parse the `Forwarded` header.

Sources

GitHub Advisory Database ↗ · first seen 2026-06-18 14:24 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map