Soumettre #857925: django-tastypie 0.15.1 at commit 03c4746f0a0f88628be5264bc8d4a19a0529b2f4 CWE-362 Concurrent Execution using Shared Resource with Improperinformation

Titredjango-tastypie 0.15.1 at commit 03c4746f0a0f88628be5264bc8d4a19a0529b2f4 CWE-362 Concurrent Execution using Shared Resource with Improper
Descriptiondjango-tastypie 0.15.1 contains a conditional rate limit bypass in CacheThrottle and CacheDBThrottle. CacheThrottle.should_be_throttled() reads a timestamp list from Django cache, filters it, writes it back, and decides whether the identifier is over the limit. CacheThrottle.accessed() later reads the same list, appends the current timestamp, and writes it back. Resource.dispatch() calls throttle_check() before executing the request handler and log_throttled_access() after the handler, leaving a race window where concurrent requests can all observe the same under-limit state and pass before any request is recorded. The issue requires an application to configure CacheThrottle or CacheDBThrottle with a cache backend shared by concurrent workers. Under those conditions, attackers can exceed configured API throttle limits. Remediation should use atomic cache/backend operations, such as Redis counters, compare-and-set, Lua scripts, or a per-identifier lock around check and accounting.
La source⚠️ https://github.com/django-tastypie/django-tastypie/issues/1700
Utilisateur
 Galaxyn (UID 98388)
Soumission13/06/2026 12:56 (il y a 1 mois)
Modérer18/07/2026 10:27 (1 month later)
StatutAccepté
Entrée VulDB380024 [django-tastypie jusqu’à 0.15.1 tastypie/throttle.py CacheThrottle/CacheDBThrottle race condition]
Points20

Do you know our Splunk app?

Download it now for free!