CVE-2025-65328

Exploit

EPSS 0.09%
Veröffentlicht 05.01.2026 16:15:42
Zuletzt bearbeitet 30.01.2026 01:35:38
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Mega-Fence (webgate-lib.*) 25.1.914 and prior trusts the first value of the X-Forwarded-For (XFF) header as the client IP without validating a trusted proxy chain. An attacker can supply an arbitrary XFF value in a remote request to spoof the client IP, which is then propagated to security-relevant state (e.g., WG_CLIENT_IP cookie). Deployments that rely on this value for IP allowlists may be bypassed.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mega-fence Project ≫ Mega-fence Version <= 25.1.914

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.252

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-807 Reliance on Untrusted Inputs in a Security Decision

The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

https://drive.proton.me/urls/MY05PVBFXG#xDd2Xqy98WM9

Broken Link

https://raw.githubusercontent.com/p1aintext/CVE/main/CVE-2025-65328.md

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-65328

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-65328

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-65328

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-65328