CVE-2026-23848
Rate Limiting Bypass via X-Forwarded-For in MyTube API
Publication date: 2026-01-19
Last updated on: 2026-01-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| franklioxygen | mytube | to 1.7.71 (exc) |
| franklioxygen | mytube | From 1.0.0 (inc) to 1.7.71 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-807 | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in MyTube (versions prior to 1.7.71) allows unauthenticated attackers to bypass IP-based rate limiting by spoofing the X-Forwarded-For header. The application trusts this header to identify client IPs for rate limiting, but attackers can manipulate it to appear as different IP addresses, enabling them to make unlimited requests to protected API endpoints. This bypass can lead to denial of service (DoS) attacks and abuse of resource-intensive operations. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to circumvent rate limits on MyTube's API endpoints, resulting in potential denial of service (DoS) attacks. Attackers can send unlimited requests by spoofing IP addresses, which may degrade service availability, exhaust resources, and bypass intended usage restrictions, potentially disrupting normal operations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by monitoring for unusual patterns of requests with varying X-Forwarded-For header values that exceed normal rate limits. A proof-of-concept involves sending POST requests with spoofed X-Forwarded-For headers to endpoints such as /api/settings/verify-admin-password to test if rate limiting is bypassed. On your system, you can use tools like curl or HTTP clients to send multiple requests with different X-Forwarded-For headers and observe if the rate limiting is enforced. For example, using curl commands: curl -X POST https://your-mytube-instance/api/settings/verify-admin-password -H "X-Forwarded-For: 1.2.3.4" curl -X POST https://your-mytube-instance/api/settings/verify-admin-password -H "X-Forwarded-For: 1.2.3.5" If these requests are not rate limited, your system is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade MyTube to version 1.7.71 or later, where the vulnerability is patched. The patch includes a refactor of IP extraction and validation logic to prioritize the non-spoofable socket IP address over the X-Forwarded-For header, validating IP addresses, and only trusting X-Forwarded-For when behind a trusted proxy. If upgrading is not immediately possible, consider disabling trust proxy settings or implementing custom IP validation to prevent spoofing of the X-Forwarded-For header. Monitoring and blocking suspicious requests with spoofed IP headers can also help mitigate attacks until the patch is applied. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.