CVE-2026-27695

Name of the Vulnerable Software and Affected Versions zae-limiter versions prior to 0.10.1

Description zae-limiter, a rate limiting library utilizing the token bucket algorithm, is susceptible to throttling issues due to all rate limit buckets for a single entity sharing the same DynamoDB partition key (namespace/ENTITY#{id}). A high-traffic entity can exceed DynamoDB's per-partition throughput limits, approximately 1,000 Write Capacity Units (WCU) per second, leading to service degradation for that entity and potentially other co-located entities within the same partition. Each acquire() call involves a TransactWriteItems operation against items sharing the same partition key. Sustained rates exceeding approximately 500 requests per second for a single entity can result in ProvisionedThroughputExceededException errors. The library lacks built-in mitigation strategies such as partition key sharding, write coalescing, client-side admission control, or effective handling of RateLimiterUnavailable exceptions. This can lead to availability issues, fairness concerns, and potential risks in multi-tenant scenarios where one tenant's traffic can impact others. The issue manifests as increased DynamoDB ThrottledRequests and elevated acquire() latency.

Recommendations zae-limiter versions prior to 0.10.1 should be updated to version 0.10.1 or later.