CVE-2024-45410: HTTP client can manipulate custom HTTP headers that are added by Traefik
(updated )
When a HTTP request is processed by Traefik, certain HTTP headers such as X-Forwarded-Host or X-Forwarded-Port are added by Traefik before the request is routed to the application. For a HTTP client, it should not be possible to remove or modify these headers. Since the application trusts the value of these headers, security implications might arise, if they can be modified.
For HTTP/1.1, however, it was found that some of theses custom headers can indeed be removed and in certain cases manipulated. The attack relies on the HTTP/1.1 behavior, that headers can be defined as hop-by-hop via the HTTP Connection header. By setting the following connection header, the X-Forwarded-Host header can, for example, be removed:
Connection: close, X-Forwarded-Host
Depending on how the receiving application handles such cases, security implications may arise. Moreover, some application frameworks (e.g. Django) first transform the “-” to “_” signs, making it possible for the HTTP client to even modify these headers in these cases.
This is similar to CVE-2022-31813 for Apache HTTP Server.
References
- github.com/advisories/GHSA-62c8-mh53-4cqv
- github.com/traefik/traefik
- github.com/traefik/traefik/commit/584144100524277829f26219baaab29a53b8134f
- github.com/traefik/traefik/releases/tag/v2.11.9
- github.com/traefik/traefik/releases/tag/v3.1.3
- github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv
- nvd.nist.gov/vuln/detail/CVE-2024-45410
Code Behaviors & Features
Detect and mitigate CVE-2024-45410 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →