Name of the Vulnerable Software and Affected Versions:

Fides versions prior to 2.69.1

Description:

Fides is an open-source privacy engineering platform. The built-in IP-based rate limiting in the Fides Webserver API is ineffective in environments utilizing CDNs, proxies, or load balancers. The system incorrectly applies rate limits based on infrastructure IPs instead of client IPs and stores counters in memory rather than a shared store. This allows attackers to bypass rate limits and potentially cause a denial of service. Deployments using external rate limiting solutions are not affected.

Recommendations:

Update to version 2.69.1 or later.

Implement rate limiting externally at the infrastructure level using a WAF, API Gateway, or similar technology.