Litestar Rate Limit Bypass Vulnerability via X-Forwarded-For Header Manipulation

A vulnerability in Litestar's RateLimitMiddleware in version 2.17.0 allows attackers to completely bypass IP-based rate limits by manipulating the X-Forwarded-For header. The middleware trusts this header unconditionally, using its value to generate cache keys for rate limiting. This flaw enables attackers to create separate rate limit buckets for each spoofed IP, effectively evading restrictions. The issue affects any Litestar application using the default rate limiting settings, which is common. The vulnerability has been patched in version 2.18.0.

Impact

Exploitation of this vulnerability allows for the complete bypass of rate limits, making authentication endpoints vulnerable to credential stuffing attacks. It also enables unrestricted abuse of public APIs that rely on rate limiting for protection, potentially leading to resource exhaustion on the server.

Reproduction

To reproduce this vulnerability, deploy a Litestar application using version 2.17.0 with the RateLimitMiddleware configured to allow two requests per minute. Once the application is running, send requests to the rate-limited endpoint. After two requests, the server should respond with a 429 Too Many Requests status. However, by spoofing the X-Forwarded-For header with different IP addresses, the rate limit can be bypassed entirely, as each spoofed IP is treated as a separate client.

Remediation

Users can update to Litestar version 2.18.0, which addresses this vulnerability by adding validation for X-Forwarded-For headers and allowing the configuration of trusted proxies. For applications that cannot be immediately updated, consider deploying behind a reverse proxy that properly manages client-controllable headers.