DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27695: The 1,000 WCU Ceiling: Crashing zae-limiter with DynamoDB Hot Partitions

#security #cve #cybersecurity

The 1,000 WCU Ceiling: Crashing zae-limiter with DynamoDB Hot Partitions

Vulnerability ID: CVE-2026-27695
CVSS Score: 4.3
Published: 2026-02-25

A deep dive into an architectural race condition in the zae-limiter library where the promise of 'infinite scale' collides with the hard reality of DynamoDB physical partition limits. By funneling all rate-limiting state for a single entity into one partition key, the library inadvertently created a 'hot partition' bottleneck. This allows attackers to trigger a denial of service (DoS) simply by exceeding 1,000 write units per second, turning the rate limiter—the very tool designed to prevent floods—into the point of failure.

TL;DR

The zae-limiter library (< v0.10.1) creates a single DynamoDB partition key per entity. Because a single DynamoDB partition is physically limited to ~1,000 Write Capacity Units (WCU) per second, an attacker can crash the rate-limiting service for a specific user (and potentially neighbors on the same shard) simply by flooding it with high-frequency requests.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-770
  • Attack Vector: Network
  • CVSS: 4.3 (Medium)
  • Impact: Denial of Service
  • Exploit Status: PoC Available
  • Architecture: Serverless / DynamoDB

Affected Systems

  • zae-limiter (< 0.10.1)
  • Applications utilizing zae-limiter with DynamoDB backend
  • zae-limiter: < 0.10.1 (Fixed in: 0.10.1)

Code Analysis

Commit: 481ce44

Initial implementation of sharding logic and WCU tracking

+ pk = f"{namespace}/BUCKET#{entity}#{resource}#{shard}"
- pk = f"{namespace}/ENTITY#{entity}"
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Implement adaptive sharding for DynamoDB keys.
  • Distribute write loads across multiple partition keys.
  • Use DynamoDB Streams for asynchronous aggregation.

Remediation Steps:

  1. Upgrade zae-limiter to version 0.10.1 or later.
  2. Deploy the associated Lambda aggregator for proactive sharding.
  3. Monitor CloudWatch for ProvisionedThroughputExceededException.

References

Read the full report for CVE-2026-27695 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)