CVE-2026-27695 PUBLISHED

zae-limiter: DynamoDB hot partition throttling enables per-entity Denial of Service

Assigner: GitHub_M
Reserved: 23.02.2026 Published: 25.02.2026 Updated: 25.02.2026

zae-limiter is a rate limiting library using the token bucket algorithm. Prior to version 0.10.1, all rate limit buckets for a single entity share the same DynamoDB partition key (namespace/ENTITY#{id}). A high-traffic entity can exceed DynamoDB's per-partition throughput limits (~1,000 WCU/sec), causing throttling that degrades service for that entity — and potentially co-located entities in the same partition. Version 0.10.1 fixes the issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	zeroae
Product	zae-limiter
Versions	Version < 0.10.1 is affected

References

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling CWE