{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27695", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-23T17:56:51.202Z", "datePublished": "2026-02-25T14:56:27.221Z", "dateUpdated": "2026-02-26T21:33:41.329Z"}, "containers": {"cna": {"title": "zae-limiter: DynamoDB hot partition throttling enables per-entity Denial of Service", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/zeroae/zae-limiter/security/advisories/GHSA-76rv-2r9v-c5m6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zeroae/zae-limiter/security/advisories/GHSA-76rv-2r9v-c5m6"}, {"name": "https://github.com/zeroae/zae-limiter/releases/tag/v0.10.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/zeroae/zae-limiter/releases/tag/v0.10.1"}], "affected": [{"vendor": "zeroae", "product": "zae-limiter", "versions": [{"version": "< 0.10.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T14:56:27.221Z"}, "descriptions": [{"lang": "en", "value": "zae-limiter is a rate limiting library using the token bucket algorithm. Prior to version 0.10.1, all rate limit buckets for a single entity share the same DynamoDB partition key (`namespace/ENTITY#{id}`). A high-traffic entity can exceed DynamoDB's per-partition throughput limits (~1,000 WCU/sec), causing throttling that degrades service for that entity \u2014 and potentially co-located entities in the same partition. Version 0.10.1 fixes the issue."}], "source": {"advisory": "GHSA-76rv-2r9v-c5m6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27695", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T21:07:07.167835Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T21:33:41.329Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27695", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-23T17:56:51.202Z", "datePublished": "2026-02-25T14:56:27.221Z", "dateUpdated": "2026-02-26T21:33:41.329Z"}, "containers": {"cna": {"title": "zae-limiter: DynamoDB hot partition throttling enables per-entity Denial of Service", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/zeroae/zae-limiter/security/advisories/GHSA-76rv-2r9v-c5m6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zeroae/zae-limiter/security/advisories/GHSA-76rv-2r9v-c5m6"}, {"name": "https://github.com/zeroae/zae-limiter/releases/tag/v0.10.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/zeroae/zae-limiter/releases/tag/v0.10.1"}], "affected": [{"vendor": "zeroae", "product": "zae-limiter", "versions": [{"version": "< 0.10.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T14:56:27.221Z"}, "descriptions": [{"lang": "en", "value": "zae-limiter is a rate limiting library using the token bucket algorithm. Prior to version 0.10.1, all rate limit buckets for a single entity share the same DynamoDB partition key (`namespace/ENTITY#{id}`). A high-traffic entity can exceed DynamoDB's per-partition throughput limits (~1,000 WCU/sec), causing throttling that degrades service for that entity \u2014 and potentially co-located entities in the same partition. Version 0.10.1 fixes the issue."}], "source": {"advisory": "GHSA-76rv-2r9v-c5m6", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27695", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T21:07:07.167835Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T21:07:08.563Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zeroae:zae-limiter:*:*:*:*:*:*:*:*", "matchCriteriaId": "FF53AB9A-4E88-4C25-9752-3564CD7DDA1D", "versionEndExcluding": "0.10.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "zae-limiter is a rate limiting library using the token bucket algorithm. Prior to version 0.10.1, all rate limit buckets for a single entity share the same DynamoDB partition key (`namespace/ENTITY#{id}`). A high-traffic entity can exceed DynamoDB's per-partition throughput limits (~1,000 WCU/sec), causing throttling that degrades service for that entity \u2014 and potentially co-located entities in the same partition. Version 0.10.1 fixes the issue."}], "id": "CVE-2026-27695", "lastModified": "2026-02-26T15:38:45.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-25T15:20:52.907", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/zeroae/zae-limiter/releases/tag/v0.10.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/zeroae/zae-limiter/security/advisories/GHSA-76rv-2r9v-c5m6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.10.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "zae-limiter", "source": "cna", "vendor": "zeroae"}, "product": "zae-limiter", "vendor": "zeroae"}], "analysis": {"en": {"generated_at": "2026-04-18T20:36:10.990320+00:00", "value": {"mitigation_remediation": ["Upgrade Zae\u2011Limiter to version 0.10.1 or later so that each entity uses a unique DynamoDB partition key.", "If an upgrade is not immediately feasible, modify the application so that each entity\u2019s bucket hash points to a distinct partition key or move the buckets to separate DynamoDB tables; this breaks the hot\u2011partition and removes the denial\u2011of\u2011service path.", "Configure DynamoDB metrics for write capacity usage and set alerts for throttling events to detect the problem early and respond before service degradation occurs."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All releases of ZeroAE ZaE\u2011Limiter before 0.10.1\u2014including 0.10.0 and earlier\u2014are affected. The library is used in applications that implement request throttling against DynamoDB using a common partition key. The vulnerable component is identified by a CPE that matches ZeroAE ZaE\u2011Limiter.", "description_and_impact": "The suspicious scenario involves the Zae\u2011Limiter rate\u2011limiting library, which uses a token bucket algorithm keyed by a shared DynamoDB partition key. Prior to version 0.10.1, every entity that shares the same namespace uses the identical partition identifier (namespace/ENTITY#{id}). When a single high\u2011traffic entity writes beyond DynamoDB\u2019s per\u2011partition limit of roughly 1,000 write capacity units per second, the table throttles the requests. The throttling propagates back into the rate limiter, causing increased latency or denied writes for that entity and, because all entities share the partition, for other entities that happen to reside in the same partition. The fundamental weakness is a resource\u2011exhaustion flaw (CWE\u2011770) that results in a denial\u2011of\u2011service condition.", "risk_and_exploitability": "The CVSS score of 4.3 deems the vulnerability medium severity. The EPSS score of less than 1% suggests an extremely low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, indicating no known active attacks. An attacker would need to generate a sustained burst of traffic against a particular entity using the library to trigger DynamoDB throttling. The likely attack vector is application\u2011level traffic\u2014either through compromised application credentials or legitimate users sending high request volumes\u2014rather than a dedicated network\u2011exposed service."}}}}, "created": "2026-02-26T13:16:01.723913+00:00", "updated": "2026-04-18T20:45:05.718244+00:00", "vendors": ["zeroae", "zeroae$PRODUCT$zae-limiter"]}