<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Rate-Limit-Bypass - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/rate-limit-bypass/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 21:49:14 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/rate-limit-bypass/feed.xml" rel="self" type="application/rss+xml"/><item><title>9router: Login Brute-Force Protection Bypass via Spoofed X-Forwarded-For Header</title><link>https://feed.craftedsignal.io/briefs/2026-07-9router-x-forwarded-for-bypass/</link><pubDate>Mon, 06 Jul 2026 21:49:14 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-9router-x-forwarded-for-bypass/</guid><description>The 9router dashboard login rate limiter incorrectly uses the attacker-controlled X-Forwarded-For HTTP header to identify clients, leading to a brute-force protection bypass (CVE-2026-55501) that allows attackers to circumvent the lockout mechanism and conduct unlimited password brute-force attempts to gain administrative access.</description><content:encoded><![CDATA[<p>A high-severity vulnerability (CVE-2026-55501) has been identified in the 9router dashboard, specifically in versions up to and including 0.4.71. This flaw stems from the application's reliance on the attacker-controlled <code>X-Forwarded-For</code> HTTP header to determine a client's identity for its login rate-limiting mechanism. When 9router is exposed directly to the internet or deployed behind a reverse proxy that does not properly overwrite untrusted <code>X-Forwarded-For</code> headers, a remote attacker can bypass the brute-force protection. By rotating the <code>X-Forwarded-For</code> value with each login attempt, the attacker receives a fresh rate-limit bucket, rendering the lockout mechanism ineffective. This enables unlimited password guessing against the dashboard, significantly increasing the risk of unauthorized administrative access, especially if default or weak credentials are in use.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A remote attacker identifies a publicly reachable 9router dashboard instance, typically listening on HTTP/S.</li>
<li>The attacker initiates a series of login attempts by sending HTTP <code>POST</code> requests to the <code>/api/auth/login</code> endpoint.</li>
<li>For each login attempt, the attacker crafts a unique and arbitrary <code>X-Forwarded-For</code> HTTP header value (e.g., <code>10.0.0.1</code>, <code>10.0.0.2</code>, <code>10.0.0.3</code>).</li>
<li>The 9router application, due to its vulnerable <code>getClientIp</code> function, uses this attacker-controlled <code>X-Forwarded-For</code> value as the client identifier for its in-memory rate limiter.</li>
<li>Each unique <code>X-Forwarded-For</code> header creates a new, independent rate-limit bucket for the attacker, effectively resetting the failed attempt counter and bypassing the configured lockout thresholds.</li>
<li>The attacker continues this process, performing unlimited password guessing against the dashboard login without triggering any lockout, until the correct credentials are found or all possibilities are exhausted.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-55501 allows an attacker to completely bypass the 9router dashboard's login lockout mechanism, enabling unlimited brute-force attempts against user passwords. If the attacker successfully guesses credentials, particularly in instances still using default or weak passwords, they gain administrative access to the 9router dashboard. This administrative access could lead to severe consequences, including the ability to retrieve sensitive configured provider credentials and API keys, modify critical application settings, disable security features, create persistent backdoors via new API keys, or further pivot into other connected systems by chaining with additional server-side functionality exposed by the dashboard.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch 9router to a version greater than 0.4.71 to address CVE-2026-55501.</li>
<li>If patching is not immediately possible, ensure that 9router is deployed behind a trusted reverse proxy (e.g., Nginx, Apache, Caddy) that is configured to overwrite or remove untrusted <code>X-Forwarded-For</code> headers originating from external networks.</li>
<li>Implement strong, complex, and unique passwords for all 9router dashboard accounts, and enforce multi-factor authentication (MFA) if available, as a layered defense against credential-based attacks.</li>
<li>Deploy the Sigma rule &quot;Detect 9router Dashboard Brute-Force Attempts&quot; in this brief to your SIEM to identify sustained failed login activity targeting the <code>/api/auth/login</code> endpoint.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>brute-force</category><category>rate-limit-bypass</category><category>x-forwarded-for</category><category>vulnerability</category><category>web-application</category></item></channel></rss>