Crum7

**Name of the Vulnerable Software and Affected Versions** Litestar versions prior to 2.18.0 **Description** Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. In version 2.17.0, rate limits can be bypassed by manipulating the X-Forwarded-For header. The `RateLimitMiddleware` uses `cache key from request()` to generate cache keys for rate limiting. When an X-Forwarded-For header is present, the middleware trusts it unconditionally and uses its value as part of the client identifier. Attackers can rotate through different header values to avoid rate limits. This affects Litestar applications using RateLimitMiddleware with default settings. **Recommendations** Update to Litestar version 2.18.0 or later.