VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 22, 2022· Updated Apr 10, 2025

Open Redirect in ikus060/rdiffweb

CVE-2022-4644

Description

Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

High-severity open redirect in Rdiffweb before 2.5.4 allows attackers to redirect users to malicious sites via crafted X-Forwarded-Host headers.

Overview

The vulnerability is an open redirect in Rdiffweb versions prior to 2.5.4. The root cause is improper handling of the X-Forwarded-Host HTTP header. The application did not discard or validate this header, allowing an attacker to supply an arbitrary host value that the server would then use to generate redirect URLs. [1][4]

Exploitation

An attacker can exploit this by sending a crafted request to any Rdiffweb instance that includes a malicious X-Forwarded-Host header. No authentication is required, and the attack can be performed over the network. When the server processes the request, it constructs a redirect URL based on the attacker-supplied host, which may point to a phishing site or other malicious destination. [2][4] The fix in commit 5f86167 explicitly discards X-Forwarded-Host headers by setting the local parameter to None in the CherryPy proxy tool. [4]

Impact

A successful open redirect can be used to trick users into visiting attacker-controlled websites, leading to potential credential theft, malware installation, or other social engineering attacks. The vulnerability is rated high severity (CVSS score not provided in the description, but assessed as high). [2]

Mitigation

The vulnerability is fixed in Rdiffweb version 2.5.4. Users should upgrade to this or a later version immediately. There is no evidence of exploitation in the wild (no KEV listing). The fix was applied in commit 5f861670ef8f38ca8eea52a98672d0e0fabb5368. [2][4]

References
  1. GitHub - ikus060/rdiffweb: A simplified backup management software for quick access to your archives through an efficient web interface.
  2. NVD - CVE-2022-4644
  3. Discard `X-Forwarded-Host` headers · ikus060/rdiffweb@5f86167

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rdiffwebPyPI
< 2.5.42.5.4

Affected products

2
  • ghsa-coords
    pkg:pypi/rdiffweb
    Range: < 2.5.4
  • ikus060/ikus060/rdiffwebv5
    Range: unspecified

Patches

1
5f861670ef8f

Discard `X-Forwarded-Host` headers

https://github.com/ikus060/rdiffwebPatrik DufresneDec 6, 2022via ghsa
commit
2 files changed · +5 1
  • rdiffweb/rdw_app.py+1 1 modified
    @@ -85,7 +85,7 @@
 @cherrypy.tools.currentuser(userobj=lambda username: UserObject.get_user(username))
 @cherrypy.tools.db()
 @cherrypy.tools.enrich_session()
-@cherrypy.tools.proxy(remote='X-Real-IP')
+@cherrypy.tools.proxy(local=None, remote='X-Real-IP')
 @cherrypy.tools.secure_headers()
 class Root(LocationsPage):
     def __init__(self):
  • README.md+4 0 modified
    @@ -108,6 +108,10 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/
 
 # Changelog
 
+## Next Release - 2.5.4
+
+* Discard `X-Forwarded-Host` headers
+
 ## 2.5.3 (2022-12-05)
 
 * Add support for WTForms v3 to support Debian Bookworm

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.