Cyber Resilience

CVE-2020-37056

MediumPublic PoC

Published: 30 January 2026

Published
30 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0054 41.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2020-37056 is a medium-severity Authentication Bypass by Spoofing (CWE-290) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2020-37056 is an IP spoofing vulnerability (CWE-290) in Crystal Shard http-protection version 0.2.0. The flaw exists in the protection middleware, which can be bypassed by attackers manipulating request headers such as X-Forwarded-For, X-Client-IP, and X-Real-IP. By hardcoding consistent IP values across these headers, attackers circumvent the middleware's security checks.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it exploitable over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation allows attackers to bypass IP-based protections, potentially leading to unauthorized access to protected resources.

Advisories and related resources include the project GitHub repository at https://github.com/rogeriozambon/http-protection, a proof-of-concept exploit at https://www.exploit-db.com/exploits/48533, and a VulnCheck advisory at https://www.vulncheck.com/advisories/crystal-shard-http-protection-ip-spoofing-bypass. These provide further technical details on the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Crystal Shard http-protection 0.2.0 contains an IP spoofing vulnerability that allows attackers to bypass protection middleware by manipulating request headers. Attackers can hardcode consistent IP values across X-Forwarded-For, X-Client-IP, and X-Real-IP headers to circumvent security checks and gain unauthorized access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct exploitation of public-facing web protection middleware via header manipulation to bypass IP-based access controls.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25316Shared CWE-290
CVE-2026-0834Shared CWE-290
CVE-2025-69401Shared CWE-290
CVE-2025-27671Shared CWE-290
CVE-2026-31889Shared CWE-290
CVE-2026-35622Shared CWE-290
CVE-2026-34457Shared CWE-290
CVE-2026-8644Shared CWE-290
CVE-2026-3902Shared CWE-290
CVE-2026-21862Shared CWE-290

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and remediation of software flaws like CVE-2020-37056, preventing exploitation of the IP spoofing vulnerability in the http-protection middleware.

prevent

SI-10 mandates validation of information inputs including request headers like X-Forwarded-For, directly countering the header manipulation used to bypass IP protections.

prevent

SC-7 enforces monitoring and control at system boundaries to validate true client IPs and block requests with spoofed proxy headers.

References