CVE-2020-37056
Published: 30 January 2026
Summary
CVE-2020-37056 is a medium-severity Authentication Bypass by Spoofing (CWE-290) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2020-37056 is an IP spoofing vulnerability (CWE-290) in Crystal Shard http-protection version 0.2.0. The flaw exists in the protection middleware, which can be bypassed by attackers manipulating request headers such as X-Forwarded-For, X-Client-IP, and X-Real-IP. By hardcoding consistent IP values across these headers, attackers circumvent the middleware's security checks.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it exploitable over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation allows attackers to bypass IP-based protections, potentially leading to unauthorized access to protected resources.
Advisories and related resources include the project GitHub repository at https://github.com/rogeriozambon/http-protection, a proof-of-concept exploit at https://www.exploit-db.com/exploits/48533, and a VulnCheck advisory at https://www.vulncheck.com/advisories/crystal-shard-http-protection-ip-spoofing-bypass. These provide further technical details on the issue.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30926
Vulnerability details
Crystal Shard http-protection 0.2.0 contains an IP spoofing vulnerability that allows attackers to bypass protection middleware by manipulating request headers. Attackers can hardcode consistent IP values across X-Forwarded-For, X-Client-IP, and X-Real-IP headers to circumvent security checks and gain unauthorized access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct exploitation of public-facing web protection middleware via header manipulation to bypass IP-based access controls.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, reporting, and remediation of software flaws like CVE-2020-37056, preventing exploitation of the IP spoofing vulnerability in the http-protection middleware.
SI-10 mandates validation of information inputs including request headers like X-Forwarded-For, directly countering the header manipulation used to bypass IP protections.
SC-7 enforces monitoring and control at system boundaries to validate true client IPs and block requests with spoofed proxy headers.