Allocation of Resources Without Limits or Throttling in frangoteam/fuxa

Valid

Reported on

Aug 2nd 2021


✍️ Description

This endpoint handler performs a file system operation and does not use a rate-limiting mechanism.

🕵️‍♂️ Proof of Concept

{
   fs.writeFileSync(runtime.settings.userSettingsFile, JSON.stringify(req.body, null, 4));
  mergeUserSettings(req.body);
  res.end();
  }

FIx

Consider using a rate-limiting middleware such as express-limit.

"express-rate-limit": "^5.0.0",
];
var start = true;
const app = express();
var RateLimit = require('express-rate-limit');
var limiter = new RateLimit({
    windowMs: 60*1000, // 1 minute
    max: 5
});

💥 Impact

It may enable the attackers to perform Denial-of-service attacks.

We have contacted a member of the frangoteam/fuxa team and are waiting to hear back 7 months ago
frangoteam/fuxa maintainer
7 months ago

Hi, thanks a lot, I will provide to fix it

Best regards umberto

We have sent a second follow up to the frangoteam/fuxa team. We will try again in 10 days. 7 months ago
We have sent a third and final follow up to the frangoteam/fuxa team. This report is now considered stale. 7 months ago
Umberto Nocelli validated this vulnerability a month ago

Thanks a lot

Raptor has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Umberto Nocelli confirmed that a fix has been merged on bce95b a month ago
Umberto Nocelli has been awarded the fix bounty
to join this conversation