No Protection against Bruteforce attacks on Login page in heroiclabs/nakama


Reported on

May 24th 2022


Nakama Console does not have any limit for the number of unsuccessful login attempts in a very short period of time.

Proof of Concept

  1. Send a login request.
  2. Capture the login request
  3. Replay the login request with different password value.

HTTP request

POST /v2/console/authenticate HTTP/1.1
Host: localhost:7351
Content-Length: 42
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Content-Type: application/json
Origin: http://localhost:7351
Referer: http://localhost:7351/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: <some-cookies>
Connection: close




Login Bruteforce attacks

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. a year ago
We have contacted a member of the heroiclabs/nakama team and are waiting to hear back a year ago
We have sent a follow up to the heroiclabs/nakama team. We will try again in 7 days. a year ago
heroiclabs/nakama maintainer has acknowledged this report a year ago
Andrei Mihu
a year ago


Thanks for the report, we're looking into this and will respond in more depth as soon as possible.

Niraj Khatiwada modified the report
a year ago
Andrei Mihu validated this vulnerability a year ago
Niraj Khatiwada has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Andrei Mihu marked this as fixed in 3.13.0 with commit e2e02f a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation