What is CVE-2025-48865?

CVE-2025-48865 is a critical-severity vulnerability in Fabiolb Fabio, classified under Insufficient Verification of Data Authenticity. CVSS score: 9.1/10. Published 2025-05-30.

How severe is CVE-2025-48865?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Is CVE-2025-48865 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Fabiolb Fabio

CVE-2025-48865

Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop head…

EPSS: 0.002 (37.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.

Affected products

Fabiolb Fabio — versions < 1.6.6

Weakness classification (CWE)

Public proof-of-concept exploits

References

https://github.com/fabiolb/fabio/security/advisories/GHSA-q7p4-7xjv-j3wf (x_refsource_CONFIRM)
https://github.com/fabiolb/fabio/commit/fdaf1e966162e9dd3b347ffdd0647b39dc71a1a3 (x_refsource_MISC)
https://github.com/fabiolb/fabio/releases/tag/v1.6.6 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-48865?: CVE-2025-48865 is a critical-severity vulnerability in Fabiolb Fabio, classified under Insufficient Verification of Data Authenticity. CVSS score: 9.1/10. Published 2025-05-30.
How severe is CVE-2025-48865?: Critical severity. CVSS v3 base score is 9.1 out of 10.
Is CVE-2025-48865 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.