Common Weakness Enumeration

CWE-799

Allowed-with-Review

Improper Control of Interaction Frequency

Abstraction: Class · Status: Incomplete

The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

108 vulnerabilities reference this CWE, most recent first.

GHSA-775H-3XRC-C228

Vulnerability from github – Published: 2026-03-11 00:21 – Updated: 2026-03-11 00:21
VLAI
Summary
Parse Server has a rate limit bypass via batch request endpoint
Details

Impact

Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit.

Any Parse Server deployment that relies on the built-in rate limiting feature is affected.

Patches

The fix adds a pre-flight check in the batch request handler that counts the number of sub-requests targeting each rate-limited path and rejects the entire batch request if any path's count exceeds its configured requestCount.

Note that this is a server-level rate limit that counts sub-requests within a single batch request. Requests already consumed in the current time window by previous individual or batch requests are not counted against the batch, so the effective limit may be higher when combining individual and batch requests. For comprehensive rate limiting protection, use a reverse proxy or WAF.

Workarounds

Use a reverse proxy or web application firewall (WAF) to enforce rate limiting before requests reach Parse Server.

References

  • GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228
  • Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10
  • Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.23
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0-alpha.1"
            },
            {
              "fixed": "9.5.2-alpha.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.6.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30972"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T00:21:51Z",
    "nvd_published_at": "2026-03-10T21:16:49Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nParse Server\u0027s rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (`/batch`) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit.\n\nAny Parse Server deployment that relies on the built-in rate limiting feature is affected.\n\n### Patches\n\nThe fix adds a pre-flight check in the batch request handler that counts the number of sub-requests targeting each rate-limited path and rejects the entire batch request if any path\u0027s count exceeds its configured `requestCount`.\n\nNote that this is a server-level rate limit that counts sub-requests within a single batch request. Requests already consumed in the current time window by previous individual or batch requests are not counted against the batch, so the effective limit may be higher when combining individual and batch requests. For comprehensive rate limiting protection, use a reverse proxy or WAF.\n\n### Workarounds\n\nUse a reverse proxy or web application firewall (WAF) to enforce rate limiting before requests reach Parse Server.\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.23",
  "id": "GHSA-775h-3xrc-c228",
  "modified": "2026-03-11T00:21:51Z",
  "published": "2026-03-11T00:21:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-775h-3xrc-c228"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30972"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.23"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Parse Server has a rate limit bypass via batch request endpoint"
}

GHSA-79QG-7G83-CMF7

Vulnerability from github – Published: 2025-11-18 21:32 – Updated: 2025-11-19 18:31
VLAI
Details

In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating reset password requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54321"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-18T19:15:49Z",
    "severity": "CRITICAL"
  },
  "details": "In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an email bombing vulnerability. An authenticated attacker can exploit this by automating reset password requests.",
  "id": "GHSA-79qg-7g83-cmf7",
  "modified": "2025-11-19T18:31:18Z",
  "published": "2025-11-18T21:32:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54321"
    },
    {
      "type": "WEB",
      "url": "https://github.com/saykino/CVE-2025-54321"
    },
    {
      "type": "WEB",
      "url": "https://www.ascertia.com/company/vulnerability-disclosure-policy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-823F-VX3M-4692

Vulnerability from github – Published: 2024-06-21 00:33 – Updated: 2025-07-30 18:31
VLAI
Details

An attacker may be able to cause a denial-of-service condition by sending many SSH packets repeatedly.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32943"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-20T23:15:51Z",
    "severity": "HIGH"
  },
  "details": "An attacker may be able to cause a denial-of-service condition by sending many SSH packets repeatedly.",
  "id": "GHSA-823f-vx3m-4692",
  "modified": "2025-07-30T18:31:26Z",
  "published": "2024-06-21T00:33:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32943"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-172-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-852G-3F6P-43MM

Vulnerability from github – Published: 2024-09-11 12:30 – Updated: 2024-09-18 21:30
VLAI
Details

This vulnerability exists in Reedos aiM-Star version 2.0.1 due to missing rate limiting on OTP requests in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints which could lead to the OTP bombing/flooding on the targeted system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45788"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-11T12:15:02Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability exists in Reedos aiM-Star version 2.0.1 due to missing rate limiting on OTP requests in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints which could lead to the OTP bombing/flooding on the targeted system.",
  "id": "GHSA-852g-3f6p-43mm",
  "modified": "2024-09-18T21:30:44Z",
  "published": "2024-09-11T12:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45788"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0291"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-8XX5-GHFP-WG5C

Vulnerability from github – Published: 2024-10-04 15:31 – Updated: 2024-10-16 15:32
VLAI
Details

This vulnerability exists in Shilpi Client Dashboard due to lack of rate limiting and Captcha protection for OTP requests in certain API endpoint. An unauthenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints, which could lead to the OTP bombing on the targeted system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-04T13:15:11Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability exists in Shilpi Client Dashboard due to lack of rate limiting and Captcha protection for OTP requests in certain API endpoint. An unauthenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints, which could lead to the OTP bombing on the targeted system.",
  "id": "GHSA-8xx5-ghfp-wg5c",
  "modified": "2024-10-16T15:32:06Z",
  "published": "2024-10-04T15:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47654"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2024-0313"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9H9C-F287-C6VP

Vulnerability from github – Published: 2018-11-06 23:16 – Updated: 2022-09-14 22:02
VLAI
Summary
Improper Control of Interaction Frequency in Apache syncope-core
Details

A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.syncope:syncope-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.syncope:syncope-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-17184"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:28:47Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "A malicious user with enough administration entitlements can inject html-like elements containing JavaScript statements into Connector names, Report names, AnyTypeClass keys and Policy descriptions. When another user with enough administration entitlements edits one of the Entities above via Admin Console, the injected JavaScript code is executed.",
  "id": "GHSA-9h9c-f287-c6vp",
  "modified": "2022-09-14T22:02:16Z",
  "published": "2018-11-06T23:16:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17184"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-9h9c-f287-c6vp"
    },
    {
      "type": "WEB",
      "url": "https://syncope.apache.org/security#CVE-2018-17184:_Stored_XSS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Control of Interaction Frequency in Apache syncope-core"
}

GHSA-9J2R-2287-24HF

Vulnerability from github – Published: 2026-03-13 21:31 – Updated: 2026-03-13 21:31
VLAI
Details

wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notification emails to victim accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22216"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-13T19:54:11Z",
    "severity": "MODERATE"
  },
  "details": "wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notification emails to victim accounts.",
  "id": "GHSA-9j2r-2287-24hf",
  "modified": "2026-03-13T21:31:46Z",
  "published": "2026-03-13T21:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22216"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/wpdiscuz"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/wpdiscuz/#developers"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/wpdiscuz-before-no-rate-limiting-on-subscription-endpoints-with-like-wildcard-bypass"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CWQF-2QF9-9MH4

Vulnerability from github – Published: 2025-03-13 12:30 – Updated: 2025-03-13 12:30
VLAI
Details

This vulnerability exists in the CAP back office application due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP bombing/flooding on the targeted system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-29998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-13T12:15:14Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability exists in the CAP back office application due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP bombing/flooding on the targeted system.",
  "id": "GHSA-cwqf-2qf9-9mh4",
  "modified": "2025-03-13T12:30:32Z",
  "published": "2025-03-13T12:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29998"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2025-0048"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FQ34-XW6C-FPHF

Vulnerability from github – Published: 2025-09-08 20:45 – Updated: 2025-09-13 04:41
VLAI
Summary
Fides Webserver API Rate Limiting Vulnerability in Proxied Environments
Details

Summary

The Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a shared store. This allows attackers to bypass intended rate limits and potentially cause denial of service.

This vulnerability only affects deployments relying on Fides's built-in rate limiting for protection. Deployments using external rate limiting solutions (WAFs, API gateways, etc.) are not affected.

Details

The vulnerability has two components:

  1. Rate limiting uses the immediate connection source IP instead of the actual client IP
  2. Rate limit counters are maintained in-memory per container rather than in a shared store

In production environments, these issues allow clients to exceed intended rate limits and enable attackers to trigger rate limits on infrastructure IPs, causing legitimate clients to receive 429 responses.

Impact

This vulnerability affects availability, allowing attackers to:

  • Bypass rate limits, potentially leading to resource exhaustion
  • Cause a denial of service for legitimate clients by deliberately triggering rate limits on infrastructure IPs

Patches

The vulnerability has been patched in Fides version 2.69.1. Users are advised to upgrade to this version or later to secure their systems against this threat.

Workarounds

There are no application-level workarounds. However, rate limiting may instead be implemented externally at the infrastructure level using a WAF, API Gateway, or similar technology.

Risk Level

This vulnerability has been assigned a severity of MEDIUM.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ethyca-fides"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.69.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-57816"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-307",
      "CWE-770",
      "CWE-799"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-08T20:45:51Z",
    "nvd_published_at": "2025-09-08T22:15:33Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe Fides Webserver API\u0027s built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a shared store. This allows attackers to bypass intended rate limits and potentially cause denial of service.\n\nThis vulnerability only affects deployments relying on Fides\u0027s built-in rate limiting for protection. Deployments using external rate limiting solutions (WAFs, API gateways, etc.) are not affected.\n\n### Details\n\nThe vulnerability has two components:\n\n1. Rate limiting uses the immediate connection source IP instead of the actual client IP\n2. Rate limit counters are maintained in-memory per container rather than in a shared store\n\nIn production environments, these issues allow clients to exceed intended rate limits and enable attackers to trigger rate limits on infrastructure IPs, causing legitimate clients to receive 429 responses.\n\n### Impact\n\nThis vulnerability affects availability, allowing attackers to:\n\n- Bypass rate limits, potentially leading to resource exhaustion\n- Cause a denial of service for legitimate clients by deliberately triggering rate limits on infrastructure IPs\n\n### Patches\n\nThe vulnerability has been patched in Fides version `2.69.1`. Users are advised to upgrade to this version or later to secure their systems against this threat.\n\n### Workarounds\n\nThere are no application-level workarounds. However, rate limiting may instead be implemented externally at the infrastructure level using a WAF, API Gateway, or similar technology.\n\n### Risk Level\n\nThis vulnerability has been assigned a severity of MEDIUM.",
  "id": "GHSA-fq34-xw6c-fphf",
  "modified": "2025-09-13T04:41:24Z",
  "published": "2025-09-08T20:45:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/security/advisories/GHSA-fq34-xw6c-fphf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57816"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/commit/59903c195e2f9f8915a1db94950aefd557033a5c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ethyca/fides"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ethyca/fides/releases/tag/2.69.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fides Webserver API Rate Limiting Vulnerability in Proxied Environments"
}

GHSA-GJG5-GGC5-2G7V

Vulnerability from github – Published: 2025-02-14 12:31 – Updated: 2025-02-14 12:31
VLAI
Details

This vulnerability exists in RupeeWeb trading platform due to missing rate limiting on OTP requests in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints which could lead to the OTP bombing/ flooding on the targeted system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26524"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-799"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-14T12:15:29Z",
    "severity": "MODERATE"
  },
  "details": "This vulnerability exists in RupeeWeb trading platform due to missing rate limiting on OTP requests in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints which could lead to the OTP bombing/ flooding on the targeted system.",
  "id": "GHSA-gjg5-ggc5-2g7v",
  "modified": "2025-02-14T12:31:39Z",
  "published": "2025-02-14T12:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26524"
    },
    {
      "type": "WEB",
      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01\u0026VLCODE=CIVN-2025-0020"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.