Netfoil, Allowlist Bypass, GHSA-84g5-x8j3-7235 (Medium)

By /

Listen to this Post

How the CVE works:

The vulnerability is an incorrect allowlist enforcement caused by an off-by-one error in the suffixtrie implementation. The suffixtrie is used to match domain suffixes against an allowlist. The error exists in the loop that traverses the trie for exact matches and suffix matches. The loop condition was for i := len(word) - 1; i > 0; i--, which skips the first character of the input string (index 0). This means that when checking a domain like “example.com”, the trie traversal effectively ignores the first character ‘e’. Consequently, any domain that differs only in the first character, such as “fxample.com” or “example.com”, would be incorrectly considered a match. The allowlist enforcement fails because the malformed domain bypasses the intended filter. The fix changes the loop condition to i >= 0, ensuring the first character is processed. This off-by-one flaw allows an attacker to circumvent domain restrictions by simply altering the first character of a blocked domain. The impact is that the domain filter can be bypassed, potentially allowing malicious traffic that should have been blocked.

dailycve form:

Platform: Go (netfoil)
Version: <0.2.1
Vulnerability: allowlist bypass
Severity: Medium
date: 2026-04-22

Prediction: 2026-04-29

Analytics under heading What Undercode Say:

Check if installed version is vulnerable
go list -m github.com/tinfoil-factory/netfoil
Test for off-by-one bypass
curl -H "Host: fxample.com" http://target
Verify patch applied
grep -r "i >= 0" vendor/github.com/tinfoil-factory/netfoil/suffixtrie.go

Exploit:

Change the first character of a blocked domain (e.g., “example.com” → “fxample.com”) to bypass the allowlist.

Protection from this CVE

Update netfoil to version 0.2.1 or later.

Implement additional DNS filtering layers.

Review allowlist logic for off-by-one flaws.

Impact:

Domain filter bypass; malicious traffic may reach internal resources. DNS filtering alone is insufficient.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top