Rate Limiting Bypass in Litestar ASGI Framework by Manipulating X-Forwarded-For Header
CVE-2025-59152

7.5HIGH

Key Information:

Vendor

Litestar-org

Status
Litestar
Vendor
CVE Published:
6 October 2025

What is CVE-2025-59152?

The Litestar ASGI framework has a vulnerability in version 2.17.0 where the RateLimitMiddleware does not properly validate the X-Forwarded-For header, allowing attackers to bypass rate limits. This occurs because the middleware trusts the header and utilizes its value as part of the client identifier, enabling attackers to spoof IP addresses and effectively escape IP-based rate limiting. As different spoofed IP values create unique rate limit buckets, an attacker can manipulate these headers to rotate between them, thus avoiding limit thresholds. A fix is available in version 2.18.0.

Affected Version(s)

litestar = 2.17.0

References

https://github.com/litestar-org/litestar/security/advisor...
x_refsource_CONFIRM
https://github.com/litestar-org/litestar/commit/42a89e043...
x_refsource_MISC
https://github.com/litestar-org/litestar/blob/26f20ac6c52...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-59152 : Rate Limiting Bypass in Litestar ASGI Framework by Manipulating X-Forwarded-For Header