CVE-2026-27695
Awaiting Analysis Awaiting Analysis - Queue
DynamoDB Throughput Throttling in zae-limiter Rate Limiting Library

Publication date: 2026-02-25

Last updated on: 2026-02-26

Assigner: GitHub, Inc.

Description
zae-limiter is a rate limiting library using the token bucket algorithm. Prior to version 0.10.1, all rate limit buckets for a single entity share the same DynamoDB partition key (`namespace/ENTITY#{id}`). A high-traffic entity can exceed DynamoDB's per-partition throughput limits (~1,000 WCU/sec), causing throttling that degrades service for that entity β€” and potentially co-located entities in the same partition. Version 0.10.1 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27695
EUVD
EUVD-2026-8642
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zeroae zae-limiter to 0.10.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27695 is a vulnerability in the zae-limiter Python package (versions up to 0.10.0) related to how it uses DynamoDB for rate limiting. The issue arises because all rate limit buckets for a single entity share the same DynamoDB partition key, which causes a 'hot partition' problem."}, {'type': 'paragraph', 'content': "When an entity experiences high traffic, it can exceed DynamoDB's per-partition throughput limits (around 1,000 write capacity units per second). This leads to throttling, which degrades service availability for that entity and potentially for other entities sharing the same partition."}, {'type': 'paragraph', 'content': "Technically, each acquire() call triggers multiple write operations on items with the same partition key, and sustained high request rates can overwhelm DynamoDB's adaptive capacity, causing errors and delays."}, {'type': 'paragraph', 'content': 'The library lacks built-in mitigations such as partition key sharding, write coalescing, or client-side admission control, which exacerbates the problem.'}, {'type': 'paragraph', 'content': 'Version 0.10.1 fixes this issue by implementing a pre-shard bucket design that distributes load across multiple partitions to avoid throttling.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can cause denial of service (DoS) for high-traffic entities using the zae-limiter library. Specifically, when an entity exceeds DynamoDB's per-partition throughput limits, requests can be throttled or rejected."}, {'type': 'paragraph', 'content': 'The impact includes high latency and rejected requests for the affected entity, which can degrade the user experience or disrupt service functionality.'}, {'type': 'paragraph', 'content': 'Additionally, because multiple entities share the same partition key, throttling can cause collateral degradation affecting other entities in the same partition.'}, {'type': 'paragraph', 'content': "In multi-tenant environments, one tenant's burst traffic can negatively impact others, increasing the risk of service instability or outages."}] [1]

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring DynamoDB metrics and application behavior related to the zae-limiter library. Specifically, look for increased DynamoDB ThrottledRequests metrics and latency spikes in acquire() calls. Additionally, observe if RateLimiterUnavailable exceptions are raised, which indicate throttling due to exceeding per-partition throughput limits.

Reproduction or detection steps include creating or identifying an entity with high rate limits (e.g., 100,000 requests per minute) and sending sustained traffic exceeding approximately 1,000 requests per second to that entity. This can cause DynamoDB adaptive capacity exhaustion and throttling.

Suggested commands or monitoring approaches include:

  • Use AWS CloudWatch to monitor DynamoDB metrics, especially ThrottledRequests and ConsumedWriteCapacityUnits for the relevant tables and partitions.
  • Check application logs for RateLimiterUnavailable exceptions raised by the zae-limiter library.
  • Use AWS CLI commands such as `aws dynamodb describe-table --table-name <table-name>` to inspect table throughput and partition key usage.
  • Generate high traffic load tests targeting specific entities to observe if throttling and latency issues occur.
Mitigation Strategies

The immediate mitigation is to upgrade the zae-limiter library to version 0.10.1 or later, which includes a fix that shards the DynamoDB partition keys to distribute write capacity and prevent hot partition throttling.

Additional mitigation steps include:

  • Implement pre-sharding of rate limit buckets by modifying the partition key to include a shard identifier, isolating each shard into separate partitions.
  • Use the updated library features such as shard selection, retry mechanisms on capacity exhaustion, and dynamic shard doubling to improve throughput and reduce throttling.
  • Monitor DynamoDB write capacity usage and adjust reserved Write Capacity Units (WCU) per bucket to track and manage partition write pressure.
  • Apply client-side admission control or rate limiting to avoid sustained request rates that exceed DynamoDB throughput limits.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27695. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart