HomeBox Authentication Rate Limit Bypass Vulnerability

A vulnerability in HomeBox versions prior to 0.24.0 allows for authentication rate limit bypass through IP spoofing. The rate limiter tracks failed login attempts based on client IP, which is determined by the X-Real-IP header, the first entry of the X-Forwarded-For header, and the remote address of the TCP connection. These headers were read unconditionally, without verifying if HomeBox was behind a trusted proxy. As a result, an attacker could forge the X-Real-IP header, creating a new rate limit identity for each request. This issue is exacerbated by the fact that the TrustProxy option, intended to handle such scenarios, was never implemented in the middleware or rate limiter code. The vulnerability allows direct attackers to brute-force accounts, particularly in self-hosted deployments without a reverse proxy or external rate limiting.

Impact

Exploitation of this vulnerability renders the authentication rate limit feature ineffective, allowing attackers to brute-force accounts more easily.

Remediation

Users can upgrade to HomeBox version 0.24.0 or later to address this vulnerability.