CVE-2020-37056 | THREATINT

Description

Crystal Shard http-protection 0.2.0 contains an IP spoofing vulnerability that allows attackers to bypass protection middleware by manipulating request headers. Attackers can hardcode consistent IP values across X-Forwarded-For, X-Client-IP, and X-Real-IP headers to circumvent security checks and gain unauthorized access.

PUBLISHED Reserved 2026-01-28 | Published 2026-01-30 | Updated 2026-02-02 | Assigner VulnCheck

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Authentication Bypass by Spoofing

Product status

<= 0.2.0

affected

Credits

Halis Duraki (@0xduraki) finder

References

www.exploit-db.com/exploits/48533 (ExploitDB-48533) exploit

github.com/rogeriozambon/http-protection (HTTP Protection Crystal Shard Repository) product

www.vulncheck.com/...hard-http-protection-ip-spoofing-bypass (VulnCheck Advisory: Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass) third-party-advisory

cve.org (CVE-2020-37056)

nvd.nist.gov (CVE-2020-37056)

Download JSON