CVE-2026-27695: zae-limiter: DynamoDB hot partition throttling enables per-entity Denial of Service
All rate limit buckets for a single entity share the same DynamoDB partition key (namespace/ENTITY#{id}). A high-traffic entity can exceed DynamoDB’s per-partition throughput limits (~1,000 WCU/sec), causing throttling that degrades service for that entity — and potentially co-located entities in the same partition.
References
- github.com/advisories/GHSA-76rv-2r9v-c5m6
- github.com/zeroae/zae-limiter
- github.com/zeroae/zae-limiter/commit/481ce44d818d66e31d8837bc48519660ce4c267f
- github.com/zeroae/zae-limiter/releases/tag/v0.10.1
- github.com/zeroae/zae-limiter/security/advisories/GHSA-76rv-2r9v-c5m6
- nvd.nist.gov/vuln/detail/CVE-2026-27695
Code Behaviors & Features
Detect and mitigate CVE-2026-27695 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →