Moderate severityNVD Advisory· Published Dec 9, 2025· Updated Dec 9, 2025
1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers
CVE-2025-66508
Description
1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.14 and below use Gin's default configuration which trusts all IP addresses as proxies (TrustedProxies = 0.0.0.0/0), allowing any client to spoof the X-Forwarded-For header. Since all IP-based access controls (AllowIPs, API whitelists, localhost-only checks) rely on ClientIP(), attackers can bypass these protections by simply sending X-Forwarded-For: 127.0.0.1 or any whitelisted IP. This renders all IP-based security controls ineffective. This issue is fixed in version 2.0.14.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/1Panel-dev/1PanelGo | < 2.0.14 | 2.0.14 |
github.com/1Panel-dev/1Panel/agentGo | < 0.0.0-20251201063338-94f7d78cc976 | 0.0.0-20251201063338-94f7d78cc976 |
Affected products
4- ghsa-coords3 versionspkg:golang/github.com/1panel-dev/1panelpkg:golang/github.com/1panel-dev/1panel/agentpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 2.0.14+ 2 more
- (no CPE)range: < 2.0.14
- (no CPE)range: < 0.0.0-20251201063338-94f7d78cc976
- (no CPE)range: < 0.0.20251230T014957-150000.1.134.1
- Range: < 2.0.14
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-7cqv-qcq2-r765ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-66508ghsaADVISORY
- github.com/1Panel-dev/1Panel/commit/94f7d78cc9768ee244da33e09408017d1f68b5edghsax_refsource_MISCWEB
- github.com/1Panel-dev/1Panel/security/advisories/GHSA-7cqv-qcq2-r765ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.