frp, a fast reverse proxy, contains an authentication bypass in its HTTP vhost routing when the routeByHTTPUser feature is enabled. The routing logic selects the backend based on the username supplied in the Proxy-Authorization header, while the access control check verifies credentials from the normal Authorization header. Consequently, an attacker who can reach the HTTP vhost entry point and knows or can guess the protected routeByHTTPUser value may access a backend that is protected by httpUser/httpPassword even with an incorrect Proxy-Authorization password, effectively bypassing authentication. This flaw is a core authentication bypass (CWE‑287) and compromises the confidentiality of services behind the proxy. The vulnerability requires the attacker to be able to reach the HTTP vhost end‑point; based on the description, remote network access is sufficient. The description does not indicate the need for elevated privileges, so exploitation can be performed without local access.

The affected product is fatedier:frp. Versions 0.43.0 through 0.68.0 are vulnerable when the routeByHTTPUser option is enabled. Ordinary HTTP proxies that do not use this feature are not impacted.

The CVSS score of 6.5 indicates a moderate impact; the EPSS score < 1% indicates a very low but non‑zero exploitation probability, and the flaw is not listed in the CISA KEV catalog. The vulnerability can be exploited by remote attackers with network access to the frp server, who can craft HTTP requests targeting the vhost entry point and use a guessed or known routeByHTTPUser value to access protected backends without the correct Proxy-Authorization credentials. No host‑level privileges or local access are required for exploitation, making the threat relevant to any remote attacker that can reach the server.