Vulnerability Details CVE-2025-65328
Mega-Fence (webgate-lib.*) 25.1.914 and prior trusts the first value of the X-Forwarded-For (XFF) header as the client IP without validating a trusted proxy chain. An attacker can supply an arbitrary XFF value in a remote request to spoof the client IP, which is then propagated to security-relevant state (e.g., WG_CLIENT_IP cookie). Deployments that rely on this value for IP allowlists may be bypassed.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 18.8%
CVSS Severity
CVSS v3 Score 6.5
References
Products affected by CVE-2025-65328
-
cpe:2.3:a:mega-fence_project:mega-fence:*