The vulnerability CVE-2025-59152 affects Litestar version 2.17.0, an ASGI framework widely used for asynchronous Python web applications. The issue lies in the RateLimitMiddleware component, which implements IP-based rate limiting by generating cache keys from client IP addresses. When the X-Forwarded-For HTTP header is present, the middleware trusts this header without validation and uses its value as the client identifier for rate limiting. Since the X-Forwarded-For header can be arbitrarily set by clients, attackers can spoof different IP addresses in this header to create multiple distinct rate limit buckets. This allows attackers to bypass rate limits by rotating through spoofed IP addresses, effectively nullifying the rate limiting protection. The vulnerability is classified under CWE-807 (Reliance on Untrusted Inputs in a Security Decision). The CVSS v3.1 score is 7.5 (high), reflecting the ease of exploitation (no authentication or user interaction required), network attack vector, and the significant impact on availability. The flaw does not compromise confidentiality or integrity but enables denial-of-service conditions by allowing attackers to flood services without restriction. The issue was reserved on 2025-09-09 and published on 2025-10-06. Litestar version 2.18.0 includes a patch that corrects this behavior by presumably validating or ignoring untrusted X-Forwarded-For headers for rate limiting purposes. No known exploits are reported in the wild yet.

For European organizations, this vulnerability poses a significant risk to service availability, especially for those relying on Litestar 2.17.0 with default RateLimitMiddleware settings. Attackers can bypass rate limits and launch denial-of-service attacks, potentially causing service outages or degraded performance. This can affect customer-facing applications, internal APIs, and critical infrastructure relying on Litestar. The inability to enforce effective rate limiting may also increase the risk of automated abuse, credential stuffing, or brute-force attacks. While confidentiality and integrity remain intact, the availability impact can disrupt business operations, damage reputation, and incur financial losses. Organizations in sectors with high availability requirements, such as finance, healthcare, and e-commerce, are particularly vulnerable. Additionally, the flaw could be exploited as part of multi-vector attacks, compounding risks. The lack of authentication or user interaction for exploitation means attackers can operate remotely and anonymously, increasing the threat surface.

European organizations should immediately upgrade Litestar to version 2.18.0 or later, which contains the patch for this vulnerability. Until the upgrade is applied, organizations should implement additional controls to validate or sanitize the X-Forwarded-For header before it is used for rate limiting. This can include configuring middleware to trust only headers from known and secure proxies or load balancers, ignoring client-supplied X-Forwarded-For headers from untrusted sources, or using alternative client identification methods such as authenticated tokens or cookies. Network-level protections like Web Application Firewalls (WAFs) can be configured to detect and block suspicious header manipulation or IP rotation patterns. Monitoring and alerting on unusual request rates or header anomalies can help detect exploitation attempts early. Additionally, consider implementing rate limiting based on multiple factors (e.g., user accounts, API keys) rather than solely on IP addresses. Conduct thorough testing after applying patches or configuration changes to ensure rate limiting functions as intended without introducing regressions.