CVE-2026-57942
Deferred Deferred - Pending Action

IP Spoofing in LibreTranslate via X-Forwarded-For Header

Vulnerability report for CVE-2026-57942, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulnCheck

Description

LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the get_remote_address() function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attackers can bypass per-IP rate limiting and flood bans by supplying forged addresses in the X-Forwarded-For header to enable unlimited API abuse.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-07-19
AI Q&A
2026-06-29
EPSS Evaluated
2026-07-18
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
libretranslate libretranslate to 1.9.8 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-348 The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

LibreTranslate versions up to 1.9.7 have an IP spoofing vulnerability in the get_remote_address() function. This vulnerability allows unauthenticated attackers to inject arbitrary IP addresses into the X-Forwarded-For HTTP header without validation from trusted proxies.

Because the application trusts the X-Forwarded-For header without verifying if it comes from a trusted proxy, attackers can spoof client IP addresses.

This spoofing enables attackers to bypass per-IP rate limiting and flood ban protections, allowing unlimited abuse of the API.

Detection Guidance

This vulnerability can be detected by monitoring incoming requests for suspicious or unusual values in the X-Forwarded-For HTTP header, especially if multiple distinct or forged IP addresses are observed that bypass rate limiting or flood bans.

One approach is to capture and analyze HTTP request headers to identify if the X-Forwarded-For header is being manipulated. For example, using command-line tools like tcpdump or tshark to filter HTTP traffic and extract X-Forwarded-For headers can help detect spoofing attempts.

  • Use tcpdump to capture HTTP traffic on port 80 or 443: tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep 'X-Forwarded-For'
  • Use tshark to extract X-Forwarded-For headers: tshark -i <interface> -Y 'http.x_forwarded_for' -T fields -e http.x_forwarded_for

Additionally, reviewing application logs for repeated requests with varying X-Forwarded-For values that bypass rate limiting can indicate exploitation of this vulnerability.

Impact Analysis

This vulnerability can allow attackers to bypass rate limiting and flood ban mechanisms that rely on client IP addresses.

As a result, attackers can flood the LibreTranslate API with unlimited requests by spoofing different IP addresses in the X-Forwarded-For header.

This can lead to resource exhaustion, denial of service, and abuse of translation or detection services, especially on public instances with free tiers or usage caps.

Compliance Impact

The vulnerability allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. This enables attackers to bypass per-IP rate limiting and flood bans, leading to unlimited API abuse.

While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, the ability to spoof IP addresses and bypass abuse controls could potentially impact the integrity and security of user data and audit logs, which are important for regulatory compliance.

Organizations relying on LibreTranslate for services that must comply with regulations requiring accurate client identification and abuse prevention might face challenges due to this vulnerability if not properly mitigated.

The fix introduces a configurable option to trust the X-Forwarded-For header only when behind a trusted proxy, which helps mitigate the risk and supports better compliance with security best practices.

Mitigation Strategies

To mitigate this vulnerability immediately, you should update LibreTranslate to a version that includes the fix from commit 397fd22 or later.

If updating is not immediately possible, configure LibreTranslate to not trust the X-Forwarded-For header by ensuring the `--trust-forwarded-for` flag or the `TRUST_FORWARDED_FOR` configuration option is disabled. This prevents the application from using the potentially spoofed header to determine client IP addresses.

This mitigation ensures that IP-based rate limiting and flood ban mechanisms rely on the actual remote address rather than the spoofable X-Forwarded-For header.

Additionally, if LibreTranslate is deployed behind a trusted reverse proxy, enable the `--trust-forwarded-for` flag only if the proxy properly validates and sanitizes the X-Forwarded-For header.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57942. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart