CVE-2020-37056 MEDIUM

CVE-2020-37056: Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass

Vendor Crystal Shard
Product http-protection
Weakness CWE-290
Published January 30, 2026
Last update February 2, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Crystal Shard http-protection 0.2.0 contains an IP spoofing vulnerability that allows attackers to bypass protection middleware by manipulating request headers. Attackers can hardcode consistent IP values across X-Forwarded-For, X-Client-IP, and X-Real-IP headers to circumvent security checks and gain unauthorized access.

Key dates

02Disclosure timeline

January 30, 2026 CVE published
February 2, 2026 Record updated