ts-2025-002
Vulnerability from tailscale

Description: Privilege escalation in proxy-to-grafana via header spoofing

What happened?

The Tailscale Grafana proxy is a HTTP reverse proxy for Grafana that annotates requests with X-Webauth-* headers bearing the requesting user's whois-based Tailscale identity.

The Grafana proxy is intended to be used in combination with Grafana's session-based authentication using cookies issued in response to requests made to /login to authenticate subsequent requests to other endpoints.

When configured to use session-based authentication, Grafana's /api/ routes will continue to accept X-Webauth-* headers for authentication. Previous versions of the Grafana proxy did not strip these X-Webauth-* headers from API requests allowing them to be forged by a malicious tailnet node.

The issue was present since the initial release of the Grafana proxy, and was patched on May 15th, 2025. The Grafana proxy now strips X-Webauth-* headers from all incoming requests.

Who was affected?

Tailnets using Grafana in combination with the Grafana proxy to authenticate users.

What was the impact?

Grafana instances protected by the Grafana proxy would have been vulnerable to privilege escalation via HTTP request header forgery from members of their tailnet.

What do I need to do?

Update to the latest Grafana proxy by running go install tailscale.com/cmd/proxy-to-grafana@latest

Credits

Thanks to Yeongrok Gim for reporting this issue.

Show details on source website

To clipboard 

{
  "guidislink": false,
  "id": "https://tailscale.com/security-bulletins/#ts-2025-002",
  "link": "https://tailscale.com/security-bulletins/#ts-2025-002",
  "links": [
    {
      "href": "https://tailscale.com/security-bulletins/#ts-2025-002",
      "rel": "alternate",
      "type": "text/html"
    }
  ],
  "published": "Thu, 15 May 2025 00:00:00 GMT",
  "summary": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: Privilege escalation in proxy-to-grafana via header spoofing\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eThe Tailscale \u003ca href=\"https://tailscale.com/kb/1523/grafana\"\u003eGrafana proxy\u003c/a\u003e is a HTTP reverse proxy for Grafana that annotates requests with \u003ccode\u003eX-Webauth-*\u003c/code\u003e headers bearing the requesting user\u0027s \u003ca href=\"https://tailscale.com/kb/1080/cli#whois\"\u003ewhois\u003c/a\u003e-based Tailscale identity.\u003c/p\u003e\n\u003cp\u003eThe Grafana proxy is intended to be used in combination with \u003ca href=\"https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/#login-token-and-session-cookie\"\u003eGrafana\u0027s session-based authentication\u003c/a\u003e using cookies issued in response to requests made to \u003ccode\u003e/login\u003c/code\u003e to authenticate subsequent requests to other endpoints.\u003c/p\u003e\n\u003cp\u003eWhen configured to use session-based authentication, Grafana\u0027s \u003ccode\u003e/api/\u003c/code\u003e routes will \u003cstrong\u003econtinue to accept\u003c/strong\u003e \u003ccode\u003eX-Webauth-*\u003c/code\u003e headers for authentication. Previous versions of the Grafana proxy did not strip these \u003ccode\u003eX-Webauth-*\u003c/code\u003e headers from API requests allowing them to be forged by a malicious tailnet node.\u003c/p\u003e\n\u003cp\u003eThe issue was present since the initial release of the Grafana proxy, and was patched on May 15th, 2025. The Grafana proxy now strips \u003ccode\u003eX-Webauth-*\u003c/code\u003e headers from all incoming requests.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eTailnets using Grafana in combination with the Grafana proxy to authenticate users.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eGrafana instances protected by the Grafana proxy would have been vulnerable to privilege escalation via HTTP request header forgery from members of their tailnet.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eUpdate to the latest Grafana proxy by running \u003ccode\u003ego install tailscale.com/cmd/proxy-to-grafana@latest\u003c/code\u003e\u003c/p\u003e\n\u003ch4\u003eCredits\u003c/h4\u003e\n\u003cp\u003eThanks to Yeongrok Gim for reporting this issue.\u003c/p\u003e",
  "summary_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/html",
    "value": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: Privilege escalation in proxy-to-grafana via header spoofing\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eThe Tailscale \u003ca href=\"https://tailscale.com/kb/1523/grafana\"\u003eGrafana proxy\u003c/a\u003e is a HTTP reverse proxy for Grafana that annotates requests with \u003ccode\u003eX-Webauth-*\u003c/code\u003e headers bearing the requesting user\u0027s \u003ca href=\"https://tailscale.com/kb/1080/cli#whois\"\u003ewhois\u003c/a\u003e-based Tailscale identity.\u003c/p\u003e\n\u003cp\u003eThe Grafana proxy is intended to be used in combination with \u003ca href=\"https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-proxy/#login-token-and-session-cookie\"\u003eGrafana\u0027s session-based authentication\u003c/a\u003e using cookies issued in response to requests made to \u003ccode\u003e/login\u003c/code\u003e to authenticate subsequent requests to other endpoints.\u003c/p\u003e\n\u003cp\u003eWhen configured to use session-based authentication, Grafana\u0027s \u003ccode\u003e/api/\u003c/code\u003e routes will \u003cstrong\u003econtinue to accept\u003c/strong\u003e \u003ccode\u003eX-Webauth-*\u003c/code\u003e headers for authentication. Previous versions of the Grafana proxy did not strip these \u003ccode\u003eX-Webauth-*\u003c/code\u003e headers from API requests allowing them to be forged by a malicious tailnet node.\u003c/p\u003e\n\u003cp\u003eThe issue was present since the initial release of the Grafana proxy, and was patched on May 15th, 2025. The Grafana proxy now strips \u003ccode\u003eX-Webauth-*\u003c/code\u003e headers from all incoming requests.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eTailnets using Grafana in combination with the Grafana proxy to authenticate users.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eGrafana instances protected by the Grafana proxy would have been vulnerable to privilege escalation via HTTP request header forgery from members of their tailnet.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eUpdate to the latest Grafana proxy by running \u003ccode\u003ego install tailscale.com/cmd/proxy-to-grafana@latest\u003c/code\u003e\u003c/p\u003e\n\u003ch4\u003eCredits\u003c/h4\u003e\n\u003cp\u003eThanks to Yeongrok Gim for reporting this issue.\u003c/p\u003e"
  },
  "title": "TS-2025-002",
  "title_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/plain",
    "value": "TS-2025-002"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.