Listen to this Post
The vulnerability resides in the `RealIP()` middleware implementation within the go-chi/chi web framework. The function naively splits the `X-Forwarded-For` header by commas and returns the first IP address as the client’s true source IP.
This design is inherently insecure because the `X-Forwarded-For` header is user-controllable. In a typical proxy setup, a client’s request passes through one or more proxies before reaching the application server. Each proxy appends the client’s IP to the end of the `X-Forwarded-For` header. However, an attacker can pre-pend a forged IP to this header before it reaches the first proxy.
When the request arrives at the server, the `X-Forwarded-For` header contains both the attacker’s forged IP and the legitimate proxy-appended IPs. Since `RealIP()` only reads the first value, the server is deceived into believing the forged IP is the true client source.
This flaw has severe implications for security controls that rely on the client IP for enforcement. Authentication rate limiters, access control lists (ACLs), and audit logging systems all become ineffective when the source IP can be arbitrarily controlled by an attacker.
The correct approach, as implemented in frameworks like labstack/echo, is to parse the `X-Forwarded-For` header from right to left, skipping known trusted proxy IPs, and using the first untrusted IP as the actual client. This methodology ensures that only IPs added by trusted proxies are considered valid, preventing spoofing from external clients.
The vulnerability is tracked under GitHub Security Advisory GHSA-9g5q-2w5x-hmxf. It affects all versions of go-chi/chi up to and including v5.1.0 that utilize the `RealIP` middleware. A replacement middleware, ClientIP, has been introduced in version v5.3.0 to address this issue.
DailyCVE Form:
Platform: go-chi/chi
Version: ≤ v5.1.0
Vulnerability: IP Spoofing
Severity: Medium
date: 2026-03-03
Prediction: Already Patched
What Undercode Say:
Check your go.mod for vulnerable version grep "github.com/go-chi/chi/v5" go.mod Upgrade to patched version go get github.com/go-chi/chi/[email protected]
Code Review:
// VULNERABLE: middleware/realip.go (v5.1.0)
// Splits X-Forwarded-For and takes first IP
func RealIP(h http.Handler) http.Handler {
// ...
if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
ips := strings.Split(xff, ",")
r.RemoteAddr = strings.TrimSpace(ips[bash]) // ← VULNERABLE
}
// ...
}
// FIXED: middleware/clientip.go (v5.3.0)
// Parses from the end, skips trusted proxies
func ClientIP(h http.Handler) http.Handler {
// ...
// Iterates from the end of X-Forwarded-For
// Skips IPs in the trusted proxy list
// Returns first untrusted IP
// ...
}
Exploit:
Forge the X-Forwarded-For header to spoof any IP curl http://vulnerable-app:8080/admin \ -H "X-Forwarded-For: 127.0.0.1, 10.0.0.1" The server will treat 127.0.0.1 as the client IP Bypassing IP-based access controls
Protection:
Upgrade to go-chi/chi v5.3.0 or later and replace `middleware.RealIP` with middleware.ClientIP. If upgrading is not immediately possible, configure your reverse proxy to strip or override the `X-Forwarded-For` header before it reaches the application, ensuring only trusted proxies can populate it.
Impact:
Attackers can spoof arbitrary source IP addresses. This allows bypassing IP-based authentication, rate limiting, and geographic restrictions. Audit logs become unreliable for forensic investigations, and brute-force protections can be trivially circumvented by rotating the forged IP on each request.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
