PT-2026-32071 — Allocation of Resources Without Limits in Pypi Openssl-Encrypt

PT-2026-32071 · Pypi · Openssl-Encrypt

Published

2026-03-31

Updated

2026-03-31

CVSS v4.0

9.1

Critical

Vector

AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Severity: HIGH

Summary

The TOTP brute-force rate limiter in openssl encrypt server/modules/pepper/totp.py at lines 47-98 uses an in-memory defaultdict(list) as a class variable.

Affected Code

python

class TOTPRateLimiter:
  def  init (self, ...):
    self.attempts: Dict[str, List[datetime]] = defaultdict(list)
    self.lockouts: Dict[str, datetime] = {}

class TOTPService:
   rate limiter = TOTPRateLimiter() # Class variable, in-memory only

Impact

Rate limit state is not shared across multiple server instances/workers — an attacker can distribute attempts
All rate limit state is lost on server restart — allows immediate retry
In multi-worker deployments, each worker has independent rate limit state

Recommended Fix

Use Redis or the database for rate limit state storage
Or use a shared-memory approach for multi-worker deployments
At minimum, persist lockout state to survive restarts

Fix

Fixed in commit 2749bc0 on branch releases/1.4.x — added abstract RateLimitBackend with InMemoryBackend and DatabaseBackend implementations; defaults to DatabaseBackend when DB available.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

GHSA-H45M-MGCP-Q388

Affected Products

Openssl-Encrypt