Impact
Apache NiFi versions 0.0.1 through 2.9.0 construct qualified URLs from several HTTP request headers that can act as alternatives to the standard Host header. The implementation did not validate the values supplied in these headers, including X-ProxyHost and X-Forwarded-Host. A client can therefore submit arbitrary header values that lead NiFi to build malformed or malicious URLs for redirection or data references. This flaw is a CWE‑346 weakness involving missing validation of critical input.
Affected Systems
The vulnerability applies to the Apache Software Foundation’s Apache NiFi product in all releases from 0.0.1 up to and including 2.9.0. Versions 1.6.0 introduced host‑header restrictions for the standard Host header but did not affect the alternative proxy or forwarded headers, so the issue remains in those releases. The problem is resolved in version 2.10.0 and later.
Risk and Exploitability
The CVSS score of 6.3 indicates medium severity. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a client that can reach the NiFi web service interface; the client can send crafted HTTP requests containing malicious proxy host headers to affect URL construction. No additional authentication or privileged conditions are described, so the risk applies to any reachable client.
OpenCVE Enrichment