CVE-2025-65328

Published: Jan 5, 2026

Modified: Jan 5, 2026

PUBLISHED

Description

Mega-Fence (webgate-lib.*) 25.1.914 and prior trusts the first value of the X-Forwarded-For (XFF) header as the client IP without validating a trusted proxy chain. An attacker can supply an arbitrary XFF value in a remote request to spoof the client IP, which is then propagated to security-relevant state (e.g., WG_CLIENT_IP cookie). Deployments that rely on this value for IP allowlists may be bypassed.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://drive.proton.me/urls/MY05PVBFXG#xDd2Xqy98WM9

https://raw.githubusercontent.com/p1aintext/CVE/main/CVE-2025-65328.md

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-65328

Description

Affected Products

References