IP Spoofing in LibreTranslate via X-Forwarded-For Header

Executive Summary

LibreTranslate versions up to 1.9.7 have an IP spoofing vulnerability in the get_remote_address() function. This vulnerability allows unauthenticated attackers to inject arbitrary IP addresses into the X-Forwarded-For HTTP header without validation from trusted proxies.

Because the application trusts the X-Forwarded-For header without verifying if it comes from a trusted proxy, attackers can spoof client IP addresses.

This spoofing enables attackers to bypass per-IP rate limiting and flood ban protections, allowing unlimited abuse of the API.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to bypass rate limiting and flood ban mechanisms that rely on client IP addresses.

As a result, attackers can flood the LibreTranslate API with unlimited requests by spoofing different IP addresses in the X-Forwarded-For header.

This can lead to resource exhaustion, denial of service, and abuse of translation or detection services, especially on public instances with free tiers or usage caps.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring incoming requests for suspicious or unusual values in the X-Forwarded-For HTTP header, especially if multiple distinct or forged IP addresses are observed that bypass rate limiting or flood bans.

One approach is to capture and analyze HTTP request headers to identify if the X-Forwarded-For header is being manipulated. For example, using command-line tools like tcpdump or tshark to filter HTTP traffic and extract X-Forwarded-For headers can help detect spoofing attempts.

• Use tcpdump to capture HTTP traffic on port 80 or 443: tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep 'X-Forwarded-For'
• Use tshark to extract X-Forwarded-For headers: tshark -i <interface> -Y 'http.x_forwarded_for' -T fields -e http.x_forwarded_for

Additionally, reviewing application logs for repeated requests with varying X-Forwarded-For values that bypass rate limiting can indicate exploitation of this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, you should update LibreTranslate to a version that includes the fix from commit 397fd22 or later.

If updating is not immediately possible, configure LibreTranslate to not trust the X-Forwarded-For header by ensuring the `--trust-forwarded-for` flag or the `TRUST_FORWARDED_FOR` configuration option is disabled. This prevents the application from using the potentially spoofed header to determine client IP addresses.

This mitigation ensures that IP-based rate limiting and flood ban mechanisms rely on the actual remote address rather than the spoofable X-Forwarded-For header.

Additionally, if LibreTranslate is deployed behind a trusted reverse proxy, enable the `--trust-forwarded-for` flag only if the proxy properly validates and sanitizes the X-Forwarded-For header.

Useful 0 Not Useful 0