CVE-2025-59152

Name of the Vulnerable Software and Affected Versions Litestar versions prior to 2.18.0

Description Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. In version 2.17.0, rate limits can be bypassed by manipulating the X-Forwarded-For header. The RateLimitMiddleware uses cache key from request() to generate cache keys for rate limiting. When an X-Forwarded-For header is present, the middleware trusts it unconditionally and uses its value as part of the client identifier. Attackers can rotate through different header values to avoid rate limits. This affects Litestar applications using RateLimitMiddleware with default settings.

Recommendations Update to Litestar version 2.18.0 or later.