GHSA-PQ96-PWVG-VRR9

Vulnerability from github – Published: 2026-04-14 23:33 – Updated: 2026-04-14 23:33
VLAI?
Summary
frp has an authentication bypass in HTTP vhost routing when routeByHTTPUser is used for access control
Details

Summary

frp contains an authentication bypass in the HTTP vhost routing path when routeByHTTPUser is used as part of access control. In proxy-style requests, the routing logic uses the username from Proxy-Authorization to select the routeByHTTPUser backend, while the access control check uses credentials from the regular Authorization header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected routeByHTTPUser value may access a backend protected by httpUser / httpPassword even with an incorrect Proxy-Authorization password.

This issue affects deployments that explicitly use routeByHTTPUser. It does not affect ordinary HTTP proxies that do not use this feature.

Details

The issue is in pkg/util/vhost/http.go.

In proxy-style requests using an absolute URI, the routing path extracts the username from Proxy-Authorization and stores it as the request HTTPUser, which is then used for routeByHTTPUser route selection.

More specifically, injectRequestInfoToCtx() derives the routing user from Proxy-Authorization, while the original ServeHTTP() implementation used req.BasicAuth() for the authentication check.

Because routing and authentication use different credential sources, a request can be routed to a protected backend based on the Proxy-Authorization username while the authentication check is not performed against the same credentials. This creates an authentication bypass when routeByHTTPUser, httpUser, and httpPassword are used together.

This is not a universal anonymous bypass for all frp HTTP proxies; it is specific to deployments that use routeByHTTPUser and where the target user value is known or can be inferred.

A minimal fix is to make the authentication check in proxy mode use the same credential source as route selection, i.e. to derive proxy-mode credentials from Proxy-Authorization consistently.

From local Git history analysis, this logic appears to have been introduced by commit 4af85da0c2c6eb981142a8fdb44f885d26cb9d08, with the earliest containing release tag appearing to be v0.43.0.

PoC

I reproduced the issue with the official frp_0.68.0_linux_amd64.tar.gz release binaries both locally and on an internet-reachable test server under my control.

Minimal setup: - frps exposes an HTTP vhost entrypoint. - One HTTP proxy is configured with: - customDomains = ["example.test"] - routeByHTTPUser = "alice" - httpUser = "alice" - httpPassword = "secret" - The protected backend returns a constant marker string: PRIVATE.

Minimal request flow: 1. Direct unauthenticated request: - curl -i --proxy '' -H 'Host: example.test' http://<FRPS_HOST>:<VHOST_HTTP_PORT>/ - Result: 404 Not Found

  1. Direct request with correct backend credentials:
  2. curl -i --proxy '' -u alice:secret -H 'Host: example.test' http://<FRPS_HOST>:<VHOST_HTTP_PORT>/

  3. Result: 200 OK, body contains PRIVATE

  4. Proxy-style request with incorrect Proxy-Authorization:

  5. curl -i --noproxy '' -x http://<FRPS_HOST>:<VHOST_HTTP_PORT> --proxy-user alice:wrong http://example.test/
  6. Result: 200 OK, body contains PRIVATE

Observed minimal result summary: - DIRECT_NOAUTH -> 404 - DIRECT_BASICAUTH_GOOD -> 200 PRIVATE - PROXY_PROXYAUTH_WRONGPASS -> 200 PRIVATE

This was reproduced against the official binary, not only against a local source build.

Impact

This is an authentication bypass leading to unauthorized access to a protected backend.

The practical impact depends on what service is behind the protected route. Examples include private application endpoints, internal administration panels, loopback-only local services, or development and operations interfaces.

Important boundary: if the protected backend is an frpc admin API that is separately protected by its own webServer.user / webServer.password, this issue only bypasses the outer vhost restriction and does not automatically bypass the inner admin authentication. In that case, the request may still reach the backend but correctly receive 401 Unauthorized from the inner layer.

There is also a deployment-specific downstream impact path. If the bypassed backend is an frpc admin API without separate inner authentication, and if that frpc instance permits store-based proxy management, an attacker may be able to create additional plugin-based proxies through the admin API. In deployments where a unix_domain_socket proxy can be used to expose Docker's Unix socket, this may further expose the Docker API and potentially enable host-level command execution through Docker. This follow-on consequence depends on multiple additional deployment conditions and should be treated as a conditional downstream impact rather than the core vulnerability itself.

Because exploitation requires a deployment to explicitly use routeByHTTPUser, and because the attacker must know or be able to guess the target routeByHTTPUser value, the issue is better classified as a configuration-dependent authentication bypass rather than a default-configuration issue.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.68.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fatedier/frp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.43.0"
            },
            {
              "fixed": "0.68.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T23:33:15Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nfrp contains an authentication bypass in the HTTP vhost routing path when `routeByHTTPUser` is used as part of access control. In proxy-style requests, the routing logic uses the username from `Proxy-Authorization` to select the `routeByHTTPUser` backend, while the access control check uses credentials from the regular `Authorization` header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected `routeByHTTPUser` value may access a backend protected by `httpUser` / `httpPassword` even with an incorrect `Proxy-Authorization` password.\n\nThis issue affects deployments that explicitly use `routeByHTTPUser`. It does not affect ordinary HTTP proxies that do not use this feature.\n\n### Details\nThe issue is in `pkg/util/vhost/http.go`.\n\nIn proxy-style requests using an absolute URI, the routing path extracts the username from `Proxy-Authorization` and stores it as the request `HTTPUser`, which is then used for `routeByHTTPUser` route selection.\n\nMore specifically, `injectRequestInfoToCtx()` derives the routing user from `Proxy-Authorization`, while the original `ServeHTTP()` implementation used `req.BasicAuth()` for the authentication check.\n\nBecause routing and authentication use different credential sources, a request can be routed to a protected backend based on the `Proxy-Authorization` username while the authentication check is not performed against the same credentials. This creates an authentication bypass when `routeByHTTPUser`, `httpUser`, and `httpPassword` are used together.\n\nThis is not a universal anonymous bypass for all frp HTTP proxies; it is specific to deployments that use `routeByHTTPUser` and where the target user value is known or can be inferred.\n\nA minimal fix is to make the authentication check in proxy mode use the same credential source as route selection, i.e. to derive proxy-mode credentials from `Proxy-Authorization` consistently.\n\nFrom local Git history analysis, this logic appears to have been introduced by commit `4af85da0c2c6eb981142a8fdb44f885d26cb9d08`, with the earliest containing release tag appearing to be `v0.43.0`.\n\n### PoC\nI reproduced the issue with the official `frp_0.68.0_linux_amd64.tar.gz` release binaries both locally and on an internet-reachable test server under my control.\n\nMinimal setup:\n- `frps` exposes an HTTP vhost entrypoint.\n- One HTTP proxy is configured with:\n  - `customDomains = [\"example.test\"]`\n  - `routeByHTTPUser = \"alice\"`\n  - `httpUser = \"alice\"`\n  - `httpPassword = \"secret\"`\n- The protected backend returns a constant marker string: `PRIVATE`.\n\nMinimal request flow:\n1. Direct unauthenticated request:\n   - `curl -i --proxy \u0027\u0027 -H \u0027Host: example.test\u0027 http://\u003cFRPS_HOST\u003e:\u003cVHOST_HTTP_PORT\u003e/`\n   - Result: `404 Not Found`\n\n2. Direct request with correct backend credentials:\n   - `curl -i --proxy \u0027\u0027 -u alice:secret -H \u0027Host: example.test\u0027 http://\u003cFRPS_HOST\u003e:\u003cVHOST_HTTP_PORT\u003e/`\n   - Result: `200 OK`, body contains `PRIVATE`\n\n3. Proxy-style request with incorrect `Proxy-Authorization`:\n   - `curl -i --noproxy \u0027\u0027 -x http://\u003cFRPS_HOST\u003e:\u003cVHOST_HTTP_PORT\u003e --proxy-user alice:wrong http://example.test/`\n   - Result: `200 OK`, body contains `PRIVATE`\n\nObserved minimal result summary:\n- `DIRECT_NOAUTH -\u003e 404`\n- `DIRECT_BASICAUTH_GOOD -\u003e 200 PRIVATE`\n- `PROXY_PROXYAUTH_WRONGPASS -\u003e 200 PRIVATE`\n\nThis was reproduced against the official binary, not only against a local source build.\n\n### Impact\nThis is an authentication bypass leading to unauthorized access to a protected backend.\n\nThe practical impact depends on what service is behind the protected route. Examples include private application endpoints, internal administration panels, loopback-only local services, or development and operations interfaces.\n\nImportant boundary: if the protected backend is an `frpc` admin API that is separately protected by its own `webServer.user` / `webServer.password`, this issue only bypasses the outer vhost restriction and does not automatically bypass the inner admin authentication. In that case, the request may still reach the backend but correctly receive `401 Unauthorized` from the inner layer.\n\nThere is also a deployment-specific downstream impact path. If the bypassed backend is an `frpc` admin API without separate inner authentication, and if that `frpc` instance permits store-based proxy management, an attacker may be able to create additional plugin-based proxies through the admin API. In deployments where a `unix_domain_socket` proxy can be used to expose Docker\u0027s Unix socket, this may further expose the Docker API and potentially enable host-level command execution through Docker. This follow-on consequence depends on multiple additional deployment conditions and should be treated as a conditional downstream impact rather than the core vulnerability itself.\n\nBecause exploitation requires a deployment to explicitly use `routeByHTTPUser`, and because the attacker must know or be able to guess the target `routeByHTTPUser` value, the issue is better classified as a configuration-dependent authentication bypass rather than a default-configuration issue.",
  "id": "GHSA-pq96-pwvg-vrr9",
  "modified": "2026-04-14T23:33:15Z",
  "published": "2026-04-14T23:33:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fatedier/frp/security/advisories/GHSA-pq96-pwvg-vrr9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fatedier/frp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "frp has an authentication bypass in HTTP vhost routing when routeByHTTPUser is used for access control"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.