{"data":{"id":"7f26d249-570e-43c6-a0dc-aff4a3a9b37f","title":"GHSA-76rv-2r9v-c5m6: zae-limiter: DynamoDB hot partition throttling enables per-entity Denial of Service","summary":"The zae-limiter library has a security flaw where all rate limit buckets for a single user share the same DynamoDB partition key (the identifier that determines which storage location holds the data), allowing a high-traffic user to exceed DynamoDB's write limits and cause service slowdowns for that user and potentially others sharing the same partition. This vulnerability affects multi-tenant systems, like shared LLM proxies (AI services shared across multiple customers), where one customer's heavy traffic can degrade service for others.","solution":"The source explicitly describes a remediation design called 'Pre-Shard Buckets' that includes: moving buckets to a new partition key format with sharding (`PK={ns}/BUCKET#{entity}#{resource}#{shard}, SK=#STATE`), auto-injecting a `wcu:1000` reserved limit on every bucket to track DynamoDB write pressure, implementing shard doubling (1→2→4→8) when capacity is exhausted, storing original limits on the bucket with effective limits derived by dividing by shard count, using random or round-robin shard selection with retry logic (maximum 2 retries), lazy shard creation on first access, discovering shards via GSI3 (a secondary index), and implementing a clean break migration with a schema version bump so old buckets are ignored and new buckets are created on first access.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-76rv-2r9v-c5m6","publishedAt":"2026-02-25T22:31:10.000Z","cveId":"CVE-2026-27695","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["zae-limiter@<= 0.10.0 (fixed: 0.10.1)"],"affectedVendors":[],"affectedVendorsRaw":[],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00046,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["availability"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}