How severe is CVE-2025-48865?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2025-48865?

This is classified as CWE-345, which is a common weakness in software security.

CVE-2025-48865 - CRITICAL Severity | CVSS 9.1

Vulnerability Description

Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like X-Forwarded-Host and X-Forwarded-Port when routing requests to backend applications. Since the receiving application should trust these headers, allowing HTTP clients to remove or modify them creates potential security vulnerabilities. Some of these custom headers can be removed and, in certain cases, manipulated. The attack relies on the behavior that headers can be defined as hop-by-hop via the HTTP Connection header. This issue has been patched in version 1.6.6.

Related Vulnerabilities

CVE-2015-6853

CRITICAL

CVSS:9.1(Critical)

The Domino web agent in CA Single Sign-On (aka SSO, formerly SiteMinder) R6, R12.0 before SP3 CR13, R12.0J before SP3 CR1.2, R12.5 before CR5, R12.51 before CR4, and R12.52 before SP1 CR3 allows remot...

CWE-3452015

CVE-2015-6854

CRITICAL

CVSS:9.1(Critical)

The non-Domino web agents in CA Single Sign-On (aka SSO, formerly SiteMinder) R6, R12.0 before SP3 CR13, R12.0J before SP3 CR1.2, and R12.5 before CR5 allow remote attackers to cause a denial of servi...

CWE-3452015

CVE-2019-12510

CRITICAL

CVSS:9.1(Critical)

In NETGEAR Nighthawk X10-R900 prior to 1.0.4.26, an attacker may bypass all authentication checks on the device's "NETGEAR Genie" SOAP API ("/soap/server_sa") by supplying a malicious X-Forwarded-For ...

CWE-3452019

CVE-2019-5161

CRITICAL

CVSS:9.1(Critical)

An exploitable remote code execution vulnerability exists in the Cloud Connectivity functionality of WAGO PFC200 versions 03.02.02(14), 03.01.07(13), and 03.00.39(12). A specially crafted XML file wil...

CWE-3452019

CVE-2023-28863

CRITICAL

CVSS:9.1(Critical)

AMI MegaRAC SPx12 and SPx13 devices have Insufficient Verification of Data Authenticity.

CWE-3452023

CVE-2025-27558

CRITICAL

CVSS:9.1(Critical)

IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against mesh networks. In mesh networks using Wi-Fi Protected Access (WPA, WPA2, or WPA3) or Wired Equivalent Privacy (WEP), an adversary can ex...

CWE-3452025