VYPR
Moderate severityNVD Advisory· Published Dec 9, 2025· Updated Dec 9, 2025

1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers

CVE-2025-66508

Description

1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.14 and below use Gin's default configuration which trusts all IP addresses as proxies (TrustedProxies = 0.0.0.0/0), allowing any client to spoof the X-Forwarded-For header. Since all IP-based access controls (AllowIPs, API whitelists, localhost-only checks) rely on ClientIP(), attackers can bypass these protections by simply sending X-Forwarded-For: 127.0.0.1 or any whitelisted IP. This renders all IP-based security controls ineffective. This issue is fixed in version 2.0.14.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/1Panel-dev/1PanelGo
< 2.0.142.0.14
github.com/1Panel-dev/1Panel/agentGo
< 0.0.0-20251201063338-94f7d78cc9760.0.0-20251201063338-94f7d78cc976

Affected products

4

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.