CVE-2025-59152
BaseFortify
Publication date: 2025-10-06
Last updated on: 2025-10-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| litestar | litestar | 2.18.0 |
| litestar | litestar | 2.17.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-807 | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Litestar version 2.17.0's RateLimitMiddleware allows attackers to bypass IP-based rate limiting by spoofing the X-Forwarded-For HTTP header. The middleware trusts this header unconditionally as the client identifier without validating it, so attackers can rotate through different spoofed IP addresses in the header. Each spoofed IP creates a separate rate limit bucket, enabling attackers to avoid hitting any single bucket's limit and effectively bypass rate limiting. [1]
How can this vulnerability impact me? :
The vulnerability can lead to bypass of brute force protections on authentication endpoints, enabling credential stuffing attacks. It also allows unrestricted abuse of public APIs that rely on rate limiting and can cause potential resource exhaustion due to unchecked request volumes. This can degrade service availability and reliability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to your Litestar application and checking for unusual patterns in the X-Forwarded-For header values. Specifically, if you observe a high volume of requests with varying or spoofed X-Forwarded-For header values that bypass rate limits, this indicates exploitation of the vulnerability. A practical approach is to log incoming requests and analyze the X-Forwarded-For headers for rapid rotation or unusual IP address patterns. While no specific commands are provided, you can use tools like tcpdump or Wireshark to capture HTTP traffic, and grep or log analysis tools to filter requests by the X-Forwarded-For header. For example, using command-line tools: `grep -i 'X-Forwarded-For' access.log | sort | uniq -c` to count occurrences of different header values. Additionally, testing can be done by sending multiple requests with different X-Forwarded-For headers and observing if rate limits are enforced or bypassed. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Litestar to version 2.18.0 or later, where the vulnerability is fixed. If upgrading is not immediately possible, configure the RateLimitMiddleware to use the default client IP address from the socket connection rather than trusting the X-Forwarded-For header. Deploy your Litestar application behind a properly configured reverse proxy that strips or overwrites client-controllable headers like X-Forwarded-For. Additionally, use middleware such as Uvicorn's ProxyHeaderMiddleware or Hypercorn's ProxyFixMiddleware to securely handle proxy headers and ensure only trusted proxies can set forwarded headers. Implement validation of forwarded IP formats and restrict trusted proxy IPs to prevent attackers from spoofing headers and bypassing rate limits. [1, 2]