Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass | Advisories

Advisories

Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass

severity: medium
date: January 30, 2026
Affecting: http-protection <= 0.2.0
CVE: CVE-2020-37056
CWE: CWE-290 Authentication Bypass by Spoofing
CVSS: 6.9
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
References: ExploitDB-48533
HTTP Protection Crystal Shard Repository
Credit: Halis Duraki (@0xduraki)
Description: Crystal Shard http-protection 0.2.0 contains an IP spoofing vulnerability that allows attackers to bypass protection middleware by manipulating request headers. Attackers can hardcode consistent IP values across X-Forwarded-For, X-Client-IP, and X-Real-IP headers to circumvent security checks and gain unauthorized access.