GHSA-7cfm-pqrj-xgq7: 9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
9router's dashboard login rate limiter uses the attacker-controlled X-Forwarded-For HTTP header to identify clients. This allows an attacker to bypass brute-force protection by rotating the X-Forwarded-For value on each login attempt, effectively resetting the rate-limit counter. The vulnerability affects versions prior to 0.4.77. Without proper proxy header validation, the login lockout mechanism is ineffective, enabling unlimited login attempts. The presence of a default dashboard password amplifies the impact but is not the root cause.
AI Analysis
Technical Summary
The 9router dashboard login rate limiter derives client identity directly from the X-Forwarded-For HTTP header without verifying if the header is from a trusted proxy. This allows a remote attacker to spoof the X-Forwarded-For header on each login attempt, causing the rate limiter to treat each request as coming from a different client IP. Consequently, the rate limiter's lockout mechanism is bypassed, allowing unlimited brute-force login attempts. The vulnerability is due to the use of untrusted X-Forwarded-For values as keys for rate-limiting state. The issue is present in versions prior to 0.4.77.
Potential Impact
An attacker can bypass the login brute-force protection by spoofing the X-Forwarded-For header, effectively resetting the rate-limit counter on every login attempt. This renders the lockout mechanism ineffective, allowing unlimited password guessing attempts. If the default dashboard password is still in use, the attacker can gain unauthorized access more easily. The vulnerability compromises the confidentiality, integrity, and availability of the 9router dashboard authentication mechanism.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should ensure that 9router is not directly exposed to untrusted networks or is deployed behind a reverse proxy that properly overwrites or validates the X-Forwarded-For header. Avoid using default dashboard passwords to reduce impact. Implement additional authentication protections if possible.
GHSA-7cfm-pqrj-xgq7: 9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
Description
9router's dashboard login rate limiter uses the attacker-controlled X-Forwarded-For HTTP header to identify clients. This allows an attacker to bypass brute-force protection by rotating the X-Forwarded-For value on each login attempt, effectively resetting the rate-limit counter. The vulnerability affects versions prior to 0.4.77. Without proper proxy header validation, the login lockout mechanism is ineffective, enabling unlimited login attempts. The presence of a default dashboard password amplifies the impact but is not the root cause.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 9router dashboard login rate limiter derives client identity directly from the X-Forwarded-For HTTP header without verifying if the header is from a trusted proxy. This allows a remote attacker to spoof the X-Forwarded-For header on each login attempt, causing the rate limiter to treat each request as coming from a different client IP. Consequently, the rate limiter's lockout mechanism is bypassed, allowing unlimited brute-force login attempts. The vulnerability is due to the use of untrusted X-Forwarded-For values as keys for rate-limiting state. The issue is present in versions prior to 0.4.77.
Potential Impact
An attacker can bypass the login brute-force protection by spoofing the X-Forwarded-For header, effectively resetting the rate-limit counter on every login attempt. This renders the lockout mechanism ineffective, allowing unlimited password guessing attempts. If the default dashboard password is still in use, the attacker can gain unauthorized access more easily. The vulnerability compromises the confidentiality, integrity, and availability of the 9router dashboard authentication mechanism.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should ensure that 9router is not directly exposed to untrusted networks or is deployed behind a reverse proxy that properly overwrites or validates the X-Forwarded-For header. Avoid using default dashboard passwords to reduce impact. Implement additional authentication protections if possible.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-7cfm-pqrj-xgq7
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-55501"]
- Ecosystems
- ["npm"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a4c33f027e9c797195ec8b1
Added to database: 07/06/2026, 23:02:08 UTC
Last enriched: 07/06/2026, 23:06:25 UTC
Last updated: 07/06/2026, 23:06:25 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.