virus logo PSIRT

Domain fronting protection bypass in explicit web proxy

Summary

An Improperly Implemented Security Check for Standard vulnerability [CWE-358] in FortiOS and FortiProxy explicit web proxy may allow an unauthenticated proxy user to bypass the domain fronting protection feature via crafted HTTP requests.

Version Affected Solution
FortiOS 7.6 7.6.0 through 7.6.3 Upgrade to 7.6.4 or above AND see solution below
FortiOS 7.4 Not affected Not Applicable
FortiOS 7.2 Not affected Not Applicable
FortiOS 7.0 Not affected Not Applicable
FortiOS 6.4 Not affected Not Applicable
FortiProxy 7.6 7.6.0 through 7.6.3 Upgrade to 7.6.4 or above AND see solution below
FortiProxy 7.4 7.4.0 through 7.4.11 Upgrade to 7.4.12 or above AND see solution below
FortiProxy 7.2 7.2 all versions Migrate to a fixed release
FortiProxy 7.0 7.0.1 through 7.0.22 Migrate to a fixed release
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

Solution

Upgrade to FortiOS 7.6.4 or above, FortiProxy 7.6.4, 7.4.12 or above

AND

Modify the domain-fronting setting to the new option "strict" for blocking Host header and SNI mismatch when using domain or IP.

config firewall profile-protocol-options
    edit "test"
        set comment "All default services."
        config http
            set ports 80
            unset options
            unset post-lang
            set domain-fronting strict <----- new option (not default)
        end
    ne
end

Acknowledgement

Fortinet is pleased to thank Emanuel Duss from Compass Security for reporting this vulnerability under responsible disclosure.

Timeline

2025-10-14: Initial publication
IR Number FG-IR-24-372
Published Date Oct 14, 2025
Component OTHERS
Severity Medium
CVSSv3 Score 4.8
Impact Improper access control
CVE ID
Download

CVRF

CSAF