GHSA-984p-xq9m-4rjw – express-brute

Package

Manager: npm
Name: express-brute
Vulnerable Version: >=0 <=1.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Rate Limiting Bypass in express-brute All versions of `express-brute` are vulnerable to Rate Limiting Bypass. Concurrent requests may lead to race conditions that cause the package to incorrectly count requests. This may allow an attacker to bypass the rate limiting provided by the package and execute requests without limiting. ## Recommendation No fix is currently available. Consider using an alternative module until a fix is made available.

Metadata

Created: 2019-06-07T21:01:53Z
Modified: 2021-08-04T21:03:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-984p-xq9m-4rjw/GHSA-984p-xq9m-4rjw.json
CWE IDs: ["CWE-77"]
Alternative ID: N/A
Finding: F422
Auto approve: 1