GHSA-hm36-ffrh-c77c
HIGHLitestar X-Forwarded-For Header Spoofing Vulnerability Enables Rate Limit Evasion
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
litestarReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.
Description
While testing Litestar's RateLimitMiddleware, I discovered that rate limits can be completely bypassed by manipulating the X-Forwarded-For header. This renders IP-based rate limiting ineffective against determined attackers.
The Problem
Litestar's RateLimitMiddleware uses cache_key_from_request() to generate cache keys for rate limiting. When an X-Forwarded-For header is present, the middleware trusts it unconditionally and uses its value as part of the client identifier.
Since clients can set arbitrary X-Forwarded-For values, each different spoofed IP creates a separate rate limit bucket. An attacker can rotate through different header values to avoid hitting any single bucket's limit.
Looking at the relevant code in litestar/middleware/rate_limit.py around line 127, there's no validation of proxy headers or configuration for trusted proxies.
Reproduction Steps
Here's a minimal test case
from litestar import Litestar, get
from litestar.middleware.rate_limit import RateLimitConfig
import uvicorn
@get("/api/data")
def get_data() -> dict:
return {"message": "sensitive data"}
rate_config = RateLimitConfig(rate_limit=("minute", 2))
app = Litestar(
route_handlers=[get_data],
middleware=[rate_config.middleware]
)
if __name__ == "__main__":
uvicorn.run(app, host="0.0.0.0", port=8000)
Testing the bypass
# Normal requests get rate limited after 2 requests
curl http://localhost:8000/api/data # 200 OK
curl http://localhost:8000/api/data # 200 OK
curl http://localhost:8000/api/data # 429 Too Many Requests
# But spoofing X-Forwarded-For bypasses the limit entirely
curl -H "X-Forwarded-For: 192.168.1.100" http://localhost:8000/api/data # 200 OK
curl -H "X-Forwarded-For: 192.168.1.101" http://localhost:8000/api/data # 200 OK
curl -H "X-Forwarded-For: 192.168.1.102" http://localhost:8000/api/data # 200 OK
Security Impact
This vulnerability has several concerning implications:
Brute Force Protection Bypass: Authentication endpoints protected by rate limiting become vulnerable to credential stuffing attacks. An attacker can attempt thousands of login combinations from a single source.
API Abuse: Public APIs relying on rate limiting for abuse prevention can be scraped or hammered without restriction.
Resource Exhaustion: While not a traditional DoS, the ability to bypass rate limits means attackers can consume more server resources than intended.
The issue is particularly problematic because many developers deploy Litestar applications directly (not behind a proxy) during development or in containerized environments, making this attack vector accessible.
Potential Solutions
After reviewing how other frameworks handle this:
- Default to socket IP only: Don't trust proxy headers unless explicitly configured
- Trusted proxy configuration: Add settings to specify which proxy IPs are allowed to set forwarded headers
- Header validation: Implement basic validation of forwarded IP formats
Django handles this through SECURE_PROXY_SSL_HEADER and trusted proxy lists. Express.js has similar trusted proxy configurations.
For immediate mitigation, applications can deploy behind a properly configured reverse proxy that strips/overwrites client-controllable headers before they reach Litestar.
Environment Details
- Litestar version: 2.17.0
- Python: 3.11
This affects any Litestar application using RateLimitMiddleware with default settings, which likely includes most applications that implement rate limiting.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐍PyPI | litestar | ≥ 2.17.0&&< 2.18.0 | 2.18.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for litestar. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update litestar to 2.18.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-hm36-ffrh-c77c is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-hm36-ffrh-c77c is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-hm36-ffrh-c77c. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-hm36-ffrh-c77c in your dependencies?
O3 detects GHSA-hm36-ffrh-c77c across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.