Litestar X-Forwarded-For Header Spoofing Vulnerability Enables Rate Limit Evasion

説明

While testing Litestar's RateLimitMiddleware, I discovered that rate limits can be completely bypassed by manipulating the X-Forwarded-For header. This renders IP-based rate limiting ineffective against determined attackers.

The Problem

Litestar's RateLimitMiddleware uses cache_key_from_request() to generate cache keys for rate limiting. When an X-Forwarded-For header is present, the middleware trusts it unconditionally and uses its value as part of the client identifier.

Since clients can set arbitrary X-Forwarded-For values, each different spoofed IP creates a separate rate limit bucket. An attacker can rotate through different header values to avoid hitting any single bucket's limit.

Looking at the relevant code in litestar/middleware/rate_limit.py around line 127, there's no validation of proxy headers or configuration for trusted proxies.

Reproduction Steps

Here's a minimal test case

from litestar import Litestar, get
from litestar.middleware.rate_limit import RateLimitConfig
import uvicorn

@get("/api/data")
def get_data() -> dict:
    return {"message": "sensitive data"}

rate_config = RateLimitConfig(rate_limit=("minute", 2))

app = Litestar(
    route_handlers=[get_data],
    middleware=[rate_config.middleware]
)

if __name__ == "__main__":
    uvicorn.run(app, host="0.0.0.0", port=8000)

Testing the bypass

# Normal requests get rate limited after 2 requests
curl http://localhost:8000/api/data  # 200 OK
curl http://localhost:8000/api/data  # 200 OK  
curl http://localhost:8000/api/data  # 429 Too Many Requests

# But spoofing X-Forwarded-For bypasses the limit entirely
curl -H "X-Forwarded-For: 192.168.1.100" http://localhost:8000/api/data  # 200 OK
curl -H "X-Forwarded-For: 192.168.1.101" http://localhost:8000/api/data  # 200 OK
curl -H "X-Forwarded-For: 192.168.1.102" http://localhost:8000/api/data  # 200 OK

Security Impact

This vulnerability has several concerning implications:

Brute Force Protection Bypass: Authentication endpoints protected by rate limiting become vulnerable to credential stuffing attacks. An attacker can attempt thousands of login combinations from a single source.

API Abuse: Public APIs relying on rate limiting for abuse prevention can be scraped or hammered without restriction.

Resource Exhaustion: While not a traditional DoS, the ability to bypass rate limits means attackers can consume more server resources than intended.

The issue is particularly problematic because many developers deploy Litestar applications directly (not behind a proxy) during development or in containerized environments, making this attack vector accessible.

Potential Solutions

After reviewing how other frameworks handle this:

  • Default to socket IP only: Don't trust proxy headers unless explicitly configured
  • Trusted proxy configuration: Add settings to specify which proxy IPs are allowed to set forwarded headers
  • Header validation: Implement basic validation of forwarded IP formats

Django handles this through SECURE_PROXY_SSL_HEADER and trusted proxy lists. Express.js has similar trusted proxy configurations.

For immediate mitigation, applications can deploy behind a properly configured reverse proxy that strips/overwrites client-controllable headers before they reach Litestar.

Environment Details

  • Litestar version: 2.17.0
  • Python: 3.11

This affects any Litestar application using RateLimitMiddleware with default settings, which likely includes most applications that implement rate limiting.

基本情報

タイプ
reviewed
深刻度
high
GitHub 上のアドバイザリ
アドバイザリを開く ↗
リポジトリのアドバイザリ
リポジトリのアドバイザリを開く ↗
ソースコード
ソースを見る ↗
公開(アドバイザリ)
2025-10-06 20:18:00 UTC
更新
2025-10-13 15:13:31 UTC
GitHub レビュー済み
2025-10-06 20:18:00 UTC
NVD で公開
2025-10-06

EPSS Score

Score Percentile
0.06% 17.76%

CVSS Scores

Base score Version Severity Vector
7.5 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H クリックして展開
攻撃ベクター (AV:N)
インターネットなど、ルーティングされたネットワーク越しに遠隔から悪用しうる。端末の前にいる必要はない。
攻撃の複雑さ (AC:L)
攻撃者が条件を満たせば、レース条件や珍しい構成に依存せずに再現しやすい。
必要な権限 (PR:N)
事前のログインや昇格は不要で、匿名アクセスのまま踏み台にしうる。
ユーザーの関与 (UI:N)
メールのリンクを開く、マクロを有効にするなど、被害者の協力がなくても成立しうる。
スコープ (S:U)
影響は脆弱コンポーネントと同一のセキュリティ権限・信頼境界の内側に収まる。
機密性への影響 (C:N)
機微情報の漏えいは想定しにくい。
完全性への影響 (I:N)
改ざん・なりすましによる信頼毀損は軽微か、想定されない。
可用性への影響 (A:H)
長時間のサービス停止、データ損壊による復旧不能に近い状態など、利用者に著しい不便を与えうる。

Identifiers

CWEs

CWE id Name
CWE-807 Reliance on Untrusted Inputs in a Security Decision

Credits

  • crum7 (finder)
  • takumi-san-ai (analyst)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip litestar = 2.17.0 2.18.0

References

cvelogic Threat Intelligence