Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTk4NHAteHE5bS00cmp3

Moderate
Permalink JSON

Rate Limiting Bypass in express-brute

Affected Packages Affected Versions Fixed Versions
npm:express-brute
PURL: pkg:npm/express-brute
<= 1.0.1 No known fixed version
77 Dependent packages
1,155 Dependent repositories
61,037 Downloads last month

Affected Version Ranges

All affected versions

0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.7.0-beta.0, 1.0.0, 1.0.1

All versions of express-brute are vulnerable to Rate Limiting Bypass. Concurrent requests may lead to race conditions that cause the package to incorrectly count requests. This may allow an attacker to bypass the rate limiting provided by the package and execute requests without limiting.

Recommendation

No fix is currently available. Consider using an alternative module until a fix is made available.

References:

Identifiers

GHSA-984p-xq9m-4rjw

Risk

Severity

Moderate

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/AdamPflug/express-brute

Date and time

Published

over 6 years ago

Updated

almost 3 years ago

API

JSON