Description

1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.14 and below use Gin's default configuration which trusts all IP addresses as proxies (TrustedProxies = 0.0.0.0/0), allowing any client to spoof the X-Forwarded-For header. Since all IP-based access controls (AllowIPs, API whitelists, localhost-only checks) rely on ClientIP(), attackers can bypass these protections by simply sending X-Forwarded-For: 127.0.0.1 or any whitelisted IP. This renders all IP-based security controls ineffective. This issue is fixed in version 2.0.14.

INFO

Published Date :

2025-12-09T01:37:10.219Z

Last Modified :

2025-12-09T16:03:08.608Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-66508 vulnerability.

Vendors Products
1panel
  • 1panel
Fit2cloud
  • 1panel
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66508.

URL Resource
https://github.com/1Panel-dev/1Panel/commit/94f7d78cc9768ee244da33e09408017d1f68b5ed cve-icon cve-icon
https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-7cqv-qcq2-r765 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact