Allocation of Resources Without Limits or Throttling in frangoteam/fuxa

Valid

Reported on

Aug 2nd 2021

✍️ Description

This endpoint handler performs a file system operation and does not use a rate-limiting mechanism.

🕵️‍♂️ Proof of Concept

{
   fs.writeFileSync(runtime.settings.userSettingsFile, JSON.stringify(req.body, null, 4));
  mergeUserSettings(req.body);
  res.end();
  }

FIx

Consider using a rate-limiting middleware such as express-limit.

"express-rate-limit": "^5.0.0",
];
var start = true;
const app = express();
var RateLimit = require('express-rate-limit');
var limiter = new RateLimit({
    windowMs: 60*1000, // 1 minute
    max: 5
});

💥 Impact

It may enable the attackers to perform Denial-of-service attacks.

References

var RateLimit = require('express-rate-limit'); var limiter = new RateLimit({ windowMs: 60*1000, // 1 minute max: 5

We have contacted a member of the frangoteam/fuxa team and are waiting to hear back a year ago

A frangoteam/fuxa maintainer

commented a year ago

Maintainer

Hi, thanks a lot, I will provide to fix it

Best regards umberto

We have sent a second follow up to the frangoteam/fuxa team. We will try again in 10 days. a year ago

We have sent a third and final follow up to the frangoteam/fuxa team. This report is now considered stale. a year ago

Umberto Nocelli validated this vulnerability a year ago

Thanks a lot

Raptor has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Umberto Nocelli marked this as fixed in 1.1.3 with commit bce95b a year ago

Umberto Nocelli has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation