{"id":"CVE-2024-52796","summary":"Password Pusher's rate limiter can be bypassed by forging proxy headers","details":"Password Pusher, an open source application to communicate sensitive information over the web, comes with a configurable rate limiter.  In versions prior to v1.49.0, the rate limiter could be bypassed by forging proxy headers allowing bad actors to send unlimited traffic to the site potentially causing a denial of service. In v1.49.0, a fix was implemented to only authorize proxies on local IPs which resolves this issue. As a workaround, one may add rules to one's proxy and/or firewall to not accept external proxy headers such as `X-Forwarded-*` from clients.","aliases":["GHSA-ffp2-8p2h-4m5j"],"modified":"2026-04-10T05:12:56.963294Z","published":"2024-11-20T16:15:19.478Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-770"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52796.json"},"references":[{"type":"WEB","url":"https://docs.pwpush.com/docs/proxies/#trusted-proxies"},{"type":"WEB","url":"https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52796.json"},{"type":"ADVISORY","url":"https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-ffp2-8p2h-4m5j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52796"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pglombardo/passwordpusher","events":[{"introduced":"0"},{"fixed":"97d28d380d125395cbcd97a5f409cfc28ecb0c1a"}]}],"versions":["release","v1.10.0","v1.10.1","v1.10.2","v1.10.3","v1.10.4","v1.11.0","v1.11.1","v1.11.10","v1.11.11","v1.11.12","v1.11.2","v1.11.3","v1.11.4","v1.11.5","v1.11.6","v1.11.7","v1.11.8","v1.11.8.1","v1.11.9","v1.12.0","v1.13.0","v1.14.0","v1.14.1","v1.14.2","v1.14.3","v1.15.0","v1.15.1","v1.16.0","v1.16.1","v1.17.0","v1.17.1","v1.17.10","v1.17.11","v1.17.12","v1.17.13","v1.17.14","v1.17.15","v1.17.2","v1.17.3","v1.17.4","v1.17.5","v1.17.6","v1.17.7","v1.17.8","v1.17.9","v1.18.0","v1.19.0","v1.19.1","v1.20.0","v1.20.1","v1.20.2","v1.20.3","v1.20.4","v1.20.5","v1.20.6","v1.20.7","v1.21.0","v1.22.0","v1.22.1","v1.22.2","v1.22.3","v1.23.0","v1.23.1","v1.23.10","v1.23.2","v1.23.3","v1.23.4","v1.23.5","v1.23.6","v1.23.7","v1.23.8","v1.23.9","v1.24.0","v1.24.1","v1.24.2","v1.24.3","v1.24.4","v1.24.5","v1.24.6","v1.24.7","v1.24.8","v1.25.0","v1.25.1","v1.25.2","v1.25.3","v1.25.4","v1.25.5","v1.25.6","v1.25.7","v1.25.8","v1.26.0","v1.26.1","v1.26.10","v1.26.11","v1.26.12","v1.26.13","v1.26.14","v1.26.15","v1.26.16","v1.26.17","v1.26.18","v1.26.2","v1.26.3","v1.26.4","v1.26.5","v1.26.6","v1.26.7","v1.26.8","v1.26.9","v1.27.0","v1.28.0","v1.28.1","v1.28.10","v1.28.11","v1.28.12","v1.28.13","v1.28.14","v1.28.2","v1.28.2.rc1","v1.28.2.rc2","v1.28.3","v1.28.4","v1.28.5","v1.28.6","v1.28.7","v1.28.8","v1.28.9","v1.29.0","v1.29.1","v1.29.2","v1.29.3","v1.30.0","v1.30.1","v1.30.10","v1.30.11","v1.30.12","v1.30.13","v1.30.2","v1.30.3","v1.30.4","v1.30.5","v1.30.6","v1.30.7","v1.30.8","v1.30.9","v1.31.0","v1.31.1","v1.31.2","v1.31.3","v1.31.4","v1.31.5","v1.31.6","v1.31.7","v1.31.8","v1.32.0","v1.32.1","v1.32.2","v1.32.3","v1.32.4","v1.32.5","v1.32.6","v1.32.7","v1.32.8","v1.32.9","v1.33.0","v1.34.0","v1.34.1","v1.34.2","v1.34.3","v1.34.4","v1.34.5","v1.35.0","v1.35.1","v1.35.2","v1.36.0","v1.36.1","v1.36.2","v1.36.3","v1.36.4","v1.36.5","v1.36.6","v1.36.7","v1.36.8","v1.36.9","v1.37.0","v1.37.1","v1.37.10","v1.37.11","v1.37.12","v1.37.2","v1.37.3","v1.37.4","v1.37.5","v1.37.6","v1.37.7","v1.37.8","v1.37.9","v1.38.0","v1.38.1","v1.39.0","v1.39.1","v1.39.2","v1.39.3","v1.39.4","v1.39.5","v1.39.6","v1.39.7","v1.39.8","v1.39.9","v1.40.0","v1.40.1","v1.40.10","v1.40.11","v1.40.12","v1.40.13","v1.40.14","v1.40.15","v1.40.2","v1.40.3","v1.40.4","v1.40.5","v1.40.6","v1.40.7","v1.40.8","v1.40.9","v1.41.0","v1.41.1","v1.41.10","v1.41.11","v1.41.12","v1.41.13","v1.41.14","v1.41.15","v1.41.2","v1.41.3","v1.41.4","v1.41.5","v1.41.6","v1.41.7","v1.41.8","v1.41.9","v1.42.0","v1.42.1","v1.42.2","v1.43.0","v1.43.1","v1.44.0","v1.45.0","v1.45.1","v1.45.10","v1.45.11","v1.45.2","v1.45.3","v1.45.4","v1.45.5","v1.45.6","v1.45.7","v1.45.8","v1.45.9","v1.46.0","v1.46.1","v1.46.2","v1.46.3","v1.47.0","v1.47.1","v1.47.2","v1.47.3","v1.47.4","v1.48.0","v1.48.1","v1.48.2","v1.6.0","v1.7.0","v1.8.0","v1.9.0","v1.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52796.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}