GitHub API Rate Limit Bypass Exposed: Anonymous Users Could Spoof IPs, Bypass Daily Scan Quotas

A critical vulnerability in a GitHub-hosted API allowed anonymous users to spoof their IP addresses and completely bypass daily scan quotas, risking abuse of external services and uncontrolled costs. The flaw stemmed from a misconfigured proxy setup that trusted all incoming traffic, making it trivial for attackers to rotate fake IPs with each request and operate with unlimited, untracked access.

The security fix, detailed in a recent pull request, reveals the system previously relied on unvalidated `X-Forwarded-For` headers for client IP resolution. Its `ProxyHeadersMiddleware` was configured to trust all sources (`trusted_hosts="*"`), an open door for IP spoofing. This configuration error enabled users to manipulate headers to appear as new, unique clients for every scan, evading rate limits designed to protect both the platform and integrated third-party APIs like VirusTotal.

The implemented changes restrict trusted proxies to only known, secure ranges such as Cloudflare and internal networks, preventing arbitrary header injection. Client IP resolution has been refactored to depend solely on the securely derived `request.client.host`. This patch restores the integrity of rate limiting, prevents cost overruns from abused external API calls, and ensures accurate tracking of user activity, closing a significant operational and financial risk.