VYPR
← All advisories
Critical severityNVD Advisory· Published Oct 13, 2022· Updated May 15, 2025

Origin Validation Error in ikus060/rdiffweb

CVE-2022-3457

Description

Origin Validation Error in GitHub repository ikus060/rdiffweb prior to 2.5.0a5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2022-3457 is an origin validation error in rdiffweb before 2.5.0a5 that could allow unauthorized cross-origin requests.

Vulnerability

Overview CVE-2022-3457 is an Origin Validation Error in the web application rdiffweb, a backup management tool. The vulnerability exists in versions prior to 2.5.0a5, and it stems from improper validation of the HTTP Origin header [1][2]. The Origin header indicates the scheme, hostname, and port that caused the request; a missing or lax check can allow an attacker to craft cross-origin requests that the server treats as legitimate [2].

Exploitation

Prerequisites An attacker would need to trick an authenticated rdiffweb user into visiting a malicious webpage. This cross-origin request could then be sent to the rdiffweb server, and due to the origin validation error, the server may accept the request as if it came from its own origin. The attack does not require network access to the rdiffweb server beyond the typical web interface; it leverages the user's browser and existing session cookies or authentication tokens [1].

Impact

If exploited, this vulnerability could allow an attacker to perform actions on behalf of the authenticated user, such as accessing backup data, modifying configurations, or executing other operations available through the web interface. The exact impact depends on the permissions of the targeted user account and the features exposed by rdiffweb, which include browsing backups, restoring files, and managing SSH keys [1].

Remediation

The vulnerability is fixed in rdiffweb version 2.5.0a5 and later. Users are strongly advised to upgrade to the latest version to mitigate the risk. No workarounds have been publicly documented; updating the software is the recommended course of action [3][4].

References
  1. GitHub - ikus060/rdiffweb: A simplified backup management software for quick access to your archives through an efficient web interface.
  2. Origin header - HTTP | MDN
  3. NVD - CVE-2022-3457
  4. advisory-database/vulns/rdiffweb/PYSEC-2022-43161.yaml at main · pypa/advisory-database

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rdiffwebPyPI
< 2.5.0a52.5.0a5

Affected products

2
  • ghsa-coords
    pkg:pypi/rdiffweb
    Range: < 2.5.0a5
  • ikus060/ikus060/rdiffwebv5
    Range: unspecified

Patches

1
afc1bdfab516

Enforce 'Origin' validation

https://github.com/ikus060/rdiffwebPatrik DufresneOct 11, 2022via ghsa
commit
3 files changed · +11 1
  • rdiffweb/controller/tests/test_secure_headers.py+9 0 modified
    @@ -93,6 +93,15 @@ def test_post_with_wrong_origin(self):
         self.assertStatus(403)
         self.assertInBody('Unexpected Origin header')
 
+    def test_post_with_prefixed_origin(self):
+        # Given a POST request made to rdiffweb
+        # When the request is made using a different origin
+        base = 'http://%s:%s' % (self.HOST + 'anything.com', self.PORT)
+        self.getPage('/dashboard/', headers=[('Origin', base)], method='POST')
+        # Then the request is accepted with 200 OK
+        self.assertStatus(403)
+        self.assertInBody('Unexpected Origin header')
+
     def test_post_with_valid_origin(self):
         # Given a POST request made to rdiffweb
         # When the request is made using a different origin
  • rdiffweb/tools/secure_headers.py+1 1 modified
    @@ -59,7 +59,7 @@ def set_headers(
     # Check if Origin matches our target.
     if request.method in ['POST', 'PUT', 'PATCH', 'DELETE']:
         origin = request.headers.get('Origin', None)
-        if origin and not origin.startswith(request.base):
+        if origin and origin != request.base:
             raise cherrypy.HTTPError(403, 'Unexpected Origin header')
 
     # Check if https is enabled
  • README.md+1 0 modified
    @@ -135,6 +135,7 @@ This next release focus on two-factor-authentication as a measure to increase se
 * Limit incorrect attempts to change the user's password to prevent brute force attacks #225 [CVE-2022-3273](https://nvd.nist.gov/vuln/detail/CVE-2022-3273)
 * Enforce password policy new password cannot be set as new password [CVE-2022-3376](https://nvd.nist.gov/vuln/detail/CVE-2022-3376)
 * Enforce better rate limit on login, mfa, password change and API [CVE-2022-3439](https://nvd.nist.gov/vuln/detail/CVE-2022-3439) [CVE-2022-3456](https://nvd.nist.gov/vuln/detail/CVE-2022-3456)
+* Enforce 'Origin' validation [CVE-2022-3457](https://nvd.nist.gov/vuln/detail/CVE-2022-3457)
 
 Breaking changes:

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.