No password brute-force protection on login page in kareadita/kavita


Reported on

Aug 6th 2022


The login page doesn't have any protection against a brute-force password attack, which allows an attacker to try every possible password combination without any restriction.

Proof of Concept

  1. 1- Send a login request of the target user
POST http://localhost:5000/api/account/login HTTP/1.1
Host: localhost:5000
Proxy-Connection: keep-alive
Content-Length: 35
Content-Type: application/json

  1. 2 - Capture and replay the login request with a different password everytime.


An attacker could perform a brute-force attack targeting normal and administrative users, using different passwords and eventually gain access to the targeted account, without any restriction.

We are processing your report and will contact the kareadita/kavita team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
We have contacted a member of the kareadita/kavita team and are waiting to hear back a year ago
Joe Milazzo validated this vulnerability a year ago

Fixed locally

vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joe Milazzo marked this as fixed in with commit 9c31f7 a year ago
Joe Milazzo has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation