GHSA-4jgr-pg2m-m988: Heimdall: Forwarded Header Injection via Unsanitized Host Header in Proxy Mode

June 18, 2026

When Heimdall operates in proxy mode, it constructs the Forwarded HTTP header after executing the matched rule pipeline by inserting the incoming request’s Host header value directly into the header string without sanitizing commas or semicolons. This allows an attacker to inject additional parameters into the Forwarded header, potentially spoofing IP addresses for upstream services.

References

github.com/advisories/GHSA-4jgr-pg2m-m988
github.com/dadrus/heimdall/security/advisories/GHSA-4jgr-pg2m-m988

Code Behaviors & Features

Detect and mitigate GHSA-4jgr-pg2m-m988 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →