Skip to content

[Security] Rate limit bypass via X-Forwarded-For spoofing #45

New issue
New issue
Closed as not planned
Closed as not planned
[Security] Rate limit bypass via X-Forwarded-For spoofing#45
@coderabbitai

Description

@coderabbitai
coderabbitai
bot
opened on Feb 28, 2026

Summary

Rate limits can be bypassed by spoofing the X-Forwarded-For header.

Affected Code

  • server-services/start-services.js Line 178

Vulnerability

The code trusts X-Forwarded-For from all connections, not just trusted proxies.

Impact

  • Bypass login/register rate limits
  • Spam sensitive endpoints
  • Brute-force accounts

Recommended Fix

Only trust X-Forwarded-For when req.socket.remoteAddress is in a trusted-proxies allowlist.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions