CVE-2022-24594

An attacker sends an HTTP POST request to the waline `/comment` endpoint with arbitrary values in the `X-Forwarded-For` or `True-Client-IP` headers [ref_id=1]. The server accepts these headers as the client's real IP address without verification, allowing the attacker to forge any IP address [ref_id=1]. No authentication or special network position is required; the attacker only needs the ability to send HTTP requests to a publicly deployed waline instance [ref_id=1].

The advisory does not specify exact function or file paths. The issue is in the server-side IP-address extraction logic of waline, which trusts the `X-Forwarded-For` and `True-Client-IP` headers without validation [ref_id=1]. The PoC targets the `/comment` endpoint [ref_id=1].

The advisory states that on self-hosted environments, the server can be configured to set `maxIpsCount` to the number of proxy server layers so that only the true client IP is used, and the Koa.js `trust proxy` setting should be enabled [ref_id=1]. For Vercel deployments, the maintainers noted there is no server-side fix available; the recommendation is to block forged headers at a reverse proxy or WAF layer [ref_id=1]. No code patch is provided in the advisory.

The advisory includes a Python PoC script [ref_id=1]. The script sends a POST request to `https://