Summary
The TrackTrueClientIp middleware unconditionally trusts the True-Client-IP request header, enabling IP address spoofing on self-hosted deployments that are not behind Cloudflare.
Details
The middleware in config/initializers/true_client_ip.rb copies the True-Client-IP header value into X-Forwarded-For on every request, before Rails' RemoteIp middleware resolves the client IP. The True-Client-IP header is set by Cloudflare and is trustworthy when Cloudflare is the reverse proxy. However, on self-hosted deployments not behind Cloudflare, this header is attacker-controlled.
An attacker can set an arbitrary True-Client-IP header to spoof their IP address, which could be used to bypass IP-based rate limiting or manipulate IP-based access controls.
Severity / Impact
Low — Exploitation requires a self-hosted deployment that is not behind Cloudflare.
By sending a forged True-Client-IP header, an attacker can control the IP address that Rails sees as the remote client IP. This could be used to bypass IP-based rate limiting and other application or framework behavior that relies on the client IP address.
The 37signals SaaS deployment at app.fizzy.do is unaffected as it sits behind Cloudflare.
Affected versions
All versions since commit 8538c21 (2025-11-03) through 723c818.
Patched versions
Fixed in b6ea558. The fix moves the middleware into the fizzy-saas engine so it does not load for self-hosted deployments. See #2677.
Workarounds
Self-hosted operators can delete config/initializers/true_client_ip.rb if they are not behind Cloudflare.
Summary
The TrackTrueClientIp middleware unconditionally trusts the True-Client-IP request header, enabling IP address spoofing on self-hosted deployments that are not behind Cloudflare.
Details
The middleware in config/initializers/true_client_ip.rb copies the True-Client-IP header value into X-Forwarded-For on every request, before Rails' RemoteIp middleware resolves the client IP. The True-Client-IP header is set by Cloudflare and is trustworthy when Cloudflare is the reverse proxy. However, on self-hosted deployments not behind Cloudflare, this header is attacker-controlled.
An attacker can set an arbitrary True-Client-IP header to spoof their IP address, which could be used to bypass IP-based rate limiting or manipulate IP-based access controls.
Severity / Impact
Low — Exploitation requires a self-hosted deployment that is not behind Cloudflare.
By sending a forged True-Client-IP header, an attacker can control the IP address that Rails sees as the remote client IP. This could be used to bypass IP-based rate limiting and other application or framework behavior that relies on the client IP address.
The 37signals SaaS deployment at app.fizzy.do is unaffected as it sits behind Cloudflare.
Affected versions
All versions since commit 8538c21 (2025-11-03) through 723c818.
Patched versions
Fixed in b6ea558. The fix moves the middleware into the fizzy-saas engine so it does not load for self-hosted deployments. See #2677.
Workarounds
Self-hosted operators can delete config/initializers/true_client_ip.rb if they are not behind Cloudflare.