GHSA-pqg7-v6wh-3pfp: TsDProxy: X-Forwarded-For header injection allows IP spoofing in proxied requests to backend services
Summary
TsDProxy, an HTTP reverse proxy (a server that forwards requests to backend services), fails to strip the X-Forwarded-For and X-Real-IP headers (HTTP headers that indicate a client's original IP address) from incoming requests before forwarding them to backend services. This allows an authenticated Tailscale user (someone with legitimate access to the network) to inject fake IP addresses that backend services trust for access control, potentially bypassing admin restrictions or manipulating audit logs.
Solution / Mitigation
Add r.Out.Header.Del("X-Forwarded-For") and r.Out.Header.Del("X-Real-IP") in the Rewrite closure in internal/proxymanager/port.go before calling r.SetXForwarded().
Classification
Affected Packages
Original source: https://github.com/advisories/GHSA-pqg7-v6wh-3pfp
First tracked: July 14, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%