CVE-2026-42272

EPSS 0.02%

Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation

發布日:2026/4/25修改日:2026/5/12

描述

### Summary Heimdall handles URL-encoded slashes (`%2F`) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (`%2f`) is not recognized and therefore not processed as expected when `allow_encoded_slashes` is set to `off` (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. **Note:** The issue can only lead to unintended access if heimdall is configured with an "allow all" default rule. Since v0.16.0, heimdall enforces secure defaults and refuses to start with such a configuration unless this enforcement is explicitly disabled (e.g. via `--insecure-skip-secure-default-rule-enforcement` or the broader `--insecure` flag). ### Details Consider the following rule configuration: ```yaml id: rule-1 match: routes: - path: /admin/** execute: # configured to require authentication and authorization # ... ``` If an adversary sends a request such as `/admin%2fsecret`, neither is the above rule matched, nor is the request rejected (as would be expected when `allow_encoded_slashes` is set to `off`). Instead, the default rule (if configured) will be executed. If the configured default rule is overly permissive (e.g. allowing anonymous access), and the upstream service interprets `%2f` as a path separator, the request may ultimately be processed as `/admin/secret`. This results in the request being authorized based on a different path than the one processed by the upstream service, leading to authorization bypass. ### Impact Bypass of access control policies enforced by heimdall may lead to the following consequences: * Access to or modification of data that should be restricted * Invocation of functionality that is expected to require authentication or authorization * In certain configurations, escalation of privileges depending on the exposed functionality ### Workarounds * Developers should not use the `--insecure` or the `--insecure-skip-secure-default-rule-enforcement` flags and configure their default rule to implement "deny by default". * Reject HTTP paths containing encoded slashes in the layers in front of heimdall. Some proxies, like e.g., Traefik, do that by default. * Include the ID of the rule expected to be executed in the JWT issued by heimdall and verify that value in the project's service.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

參考連結(6)