Context Switching Race Condition in circuitverse/circuitverse


Reported on

Aug 24th 2021

✍️ Description

no rate limit allow to send unlimited email to any mail address

🕵️‍♂️ Proof of Concept

During forgot password there is no rate limit to send password-reset email which allow to send unlimited email to a mail address. bellow request is vulnerable to rate-limit bug

POST /users/password HTTP/2
Cookie: ahoy_visitor=d2bc2d97-c241-4206-b410-430ad9b3719b; ahoy_visit=6565f39e-3719-4566-b746-bcd2f6505c3f; _logix_session=MAuX7x%2Bz8TNHnbiRIwNscgujjY6sP7L9rzzn4eT7AFt8xU%2B0O1E0YbVB8m%2FA3s06kZIuHoj6yZFknGQU0FP12tsbfFEfRExYeKG5y4y%2B8c4oanbH57E0qTcSFa46SnP0CeCmkNnMZ33CmO%2BjC9ybJZDktYPkHgAhT13CS9dx1kkVII0NE6kFLDC8iCsbLf%2BhlMmLQm8cH5s5oK4A077jx8T6IWz1qAJnFteL5K%2FsZCFlJv3FUtE8d%2FsX9aiH3TtcOwSuOqsJE77P1La6RSPS%2F5U1NmqsZ8Tvg7KLSHKGv%2FiracMEDmoWSgU%2B6z7SLQT7pCE%3D--uJiHpLajQNxxHZb3--WqMoRZqNrNo6qWsO92TJwg%3D%3D
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
Content-Length: 191
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: same-origin
Sec-Fetch-Site: same-origin
Te: trailers


Here in this request change email-id to any registered email id.
Now sent this request unlimited time and victim email address will received unlimited password-reset email .
Also attacker can make this as python code and send unlimited email.
You should set rate limit there to prevent this

💥 Impact

Attacker can sent unlimited email to any mail address . Many email service provider has limited email sending like 10000 email per month . If you exeed that limit then you will be extra charged . So, using this attack attacker can exeed that limit and company will be charged extra money.

We have contacted a member of the circuitverse team and are waiting to hear back a year ago
Aboobacker MK
a year ago

This a valid issue and same as you reported before, and we are working on implementing the rate limiter. But linked CVE is still misleading. I think is more appropriate in this context

a year ago


Yes aggree .
Provided cve is inaccurate.
But plz ignore it. I will take care about it in my future report

Aboobacker MK validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Aboobacker MK
a year ago

Fixed in by @gr455

Aboobacker MK confirmed that a fix has been merged on 879d14 a month ago
The fix bounty has been dropped
to join this conversation