Unrated severityNVD Advisory· Published Jan 5, 2026· Updated Jan 5, 2026

CVE-2025-65328

Description

Mega-Fence (webgate-lib.*) 25.1.914 and prior trusts the first value of the X-Forwarded-For (XFF) header as the client IP without validating a trusted proxy chain. An attacker can supply an arbitrary XFF value in a remote request to spoof the client IP, which is then propagated to security-relevant state (e.g., WG_CLIENT_IP cookie). Deployments that rely on this value for IP allowlists may be bypassed.

Affected products

Mega-Fence/webgate-libdescription
Mega-Fence/webgate-libllm-create
Range: <=25.1.914

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

drive.proton.me/urls/MY05PVBFXGmitre
raw.githubusercontent.com/p1aintext/CVE/main/CVE-2025-65328.mdmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000