Fleet IP Spoofing Vulnerability Allows API Rate Limit Bypass

A vulnerability in Fleet's IP extraction logic prior to version 4.80.1 allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This issue can lead to brute-force login attempts or other abuses against Fleet instances exposed to the public internet. The vulnerability arises because Fleet extracts client IP addresses from request headers such as 'True-Client-IP', 'X-Real-IP', and 'X-Forwarded-For' without validating their origin from a trusted proxy. The extracted IP is used for rate limiting and IP ban decisions, enabling attackers to rotate these header values and bypass per-IP rate limits on sensitive endpoints like the login API.

Impact

By exploiting this vulnerability, attackers can bypass per-IP rate limits on the login API, allowing for unrestricted brute-force or credential stuffing attacks.

Remediation

Users can upgrade to Fleet version 4.80.1 or later, where this vulnerability has been patched. If an immediate upgrade is not possible, administrators should deploy Fleet behind a reverse proxy that overwrites 'X-Forwarded-For' with the true client IP and apply rate limiting at the proxy or WAF layer.