Forwarding addresses is hard [CVE-2022-31813]

web
We discussed this vulnerability as part of our weekly podcast on 20 September 2022

A vulnerability in Apache HTTPD’s mod_proxy reverse proxy module. The issue comes down to an interesting logic bug in ap_proxy_create_hdrbrgd() where it would clear hop-by-hop request headers via ap_proxy_clear_connection() after the x-forwarded header addition. This leads to a situation where x-forwarded headers that were passed in a hop-by-hop list immediately get dropped and won’t make it upstream. There’s a few scenarios this could be exploited, particularly where something relies on the x-forwarded headers (such as ExpressJS and it’s trust proxy setting, or certain tomcat valves).