## MEDIUM: Broker Endpoints Lack Rate Limiting, Exposing System to Local Flood Attacks
A critical security misconfiguration leaves a broker's endpoints completely unprotected against rate-limiting attacks. The vulnerability, classified as MEDIUM severity, stems from an absence of resource throttling, allowing a local attacker to flood the broker and potentially disrupt its operations. This flaw maps directly to CWE-770 (Allocation of Resources Without Limits or Throttling) and falls under the OWASP A05:2021 category for Security Misconfiguration, highlighting a fundamental oversight in the system's defensive posture.

The core issue is the lack of any rate-limiting controls on endpoints, including those for user registration and message sending. Without these safeguards, an attacker with local access can execute denial-of-service attacks by overwhelming the broker with excessive requests. The proposed fix involves implementing a sliding-window rate limiter with specific thresholds: a maximum of 10 requests per minute for the registration endpoint, 60 requests per minute per peer for the send-message endpoint, and a global cap of 1000 requests per minute.

To resolve the vulnerability, acceptance criteria mandate that rate-limited requests must return a 429 HTTP status code. The implementation of these controls is essential to mitigate the risk of resource exhaustion and ensure service availability. This exposure underscores the persistent risk that basic security misconfigurations pose to networked systems, even from local threat actors.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: vulnerability, rate limiting, security misconfiguration, CWE-770, OWASP A05:2021
- **Credibility**: unverified
- **Published**: 2026-03-30 10:27:25
- **ID**: 40986
- **URL**: https://whisperx.ai/en/intel/40986