Sodre

**Name of the Vulnerable Software and Affected Versions** zae-limiter versions prior to 0.10.1 **Description** zae-limiter, a rate limiting library utilizing the token bucket algorithm, is susceptible to throttling issues due to all rate limit buckets for a single entity sharing the same DynamoDB partition key (`namespace/ENTITY#{id}`). A high-traffic entity can exceed DynamoDB's per-partition throughput limits, approximately 1,000 Write Capacity Units (WCU) per second, leading to service degradation for that entity and potentially other co-located entities within the same partition. Each `acquire()` call involves a `TransactWriteItems` operation against items sharing the same partition key. Sustained rates exceeding approximately 500 requests per second for a single entity can result in `ProvisionedThroughputExceededException` errors. The library lacks built-in mitigation strategies such as partition key sharding, write coalescing, client-side admission control, or effective handling of `RateLimiterUnavailable` exceptions. This can lead to availability issues, fairness concerns, and potential risks in multi-tenant scenarios where one tenant's traffic can impact others. The issue manifests as increased DynamoDB `ThrottledRequests` and elevated `acquire()` latency. **Recommendations** zae-limiter versions prior to 0.10.1 should be updated to version 0.10.1 or later.