Allocation of Resources Without Limits or Throttling in frangoteam/fuxa


Reported on

Aug 2nd 2021

✍️ Description

This endpoint handler performs a file system operation and does not use a rate-limiting mechanism.

🕵️‍♂️ Proof of Concept

   fs.writeFileSync(runtime.settings.userSettingsFile, JSON.stringify(req.body, null, 4));


Consider using a rate-limiting middleware such as express-limit.

"express-rate-limit": "^5.0.0",
var start = true;
const app = express();
var RateLimit = require('express-rate-limit');
var limiter = new RateLimit({
    windowMs: 60*1000, // 1 minute
    max: 5

💥 Impact

It may enable the attackers to perform Denial-of-service attacks.

We have contacted a member of the frangoteam/fuxa team and are waiting to hear back a year ago
frangoteam/fuxa maintainer
a year ago


Hi, thanks a lot, I will provide to fix it

Best regards umberto

We have sent a second follow up to the frangoteam/fuxa team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the frangoteam/fuxa team. This report is now considered stale. a year ago
Umberto Nocelli validated this vulnerability a year ago

Thanks a lot

Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Umberto Nocelli marked this as fixed in 1.1.3 with commit bce95b a year ago
Umberto Nocelli has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation