CVE-2026-27695
MEDIUMzae-limiter < 0.10.1 - Denial of Service via DynamoDB Partition Key Collision
Title source: llmDescription
zae-limiter is a rate limiting library using the token bucket algorithm. Prior to version 0.10.1, all rate limit buckets for a single entity share the same DynamoDB partition key (`namespace/ENTITY#{id}`). A high-traffic entity can exceed DynamoDB's per-partition throughput limits (~1,000 WCU/sec), causing throttling that degrades service for that entity — and potentially co-located entities in the same partition. Version 0.10.1 fixes the issue.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/zeroae/zae-limiter/security/advisories/GHSA-76rv-2r9v-c5m6
Release Notes x_refsource_misc
https://github.com/zeroae/zae-limiter/releases/tag/v0.10.1
Scores
CVSS v3
4.3
EPSS
0.0023
EPSS Percentile
13.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (2)
pypi/zae-limiter
0 - 0.10.1PyPI
zeroae/zae-limiter
< 0.10.1
Published
Feb 25, 2026
Tracked Since
Feb 25, 2026