CVE-2026-27695

CVE-2026-27695 is a medium-severity allocation of resources without limits or throttling vulnerability in zae-limiter (pip), affecting versions <= 0.10.0. It is fixed in 0.10.1.

Summary

All rate limit buckets for a single entity share the same DynamoDB partition key (namespace/ENTITY#{id}). A high-traffic entity can exceed DynamoDB's per-partition throughput limits (~1,000 WCU/sec), causing throttling that degrades service for that entity, and potentially co-located entities in the same partition.

Details

Each acquire() call performs a TransactWriteItems (or UpdateItem in speculative mode) against items sharing the same partition key. For cascade entities, this doubles to 2-4 writes per request (child + parent). At sustained rates above ~500 req/sec for a single entity, DynamoDB's adaptive capacity may not redistribute fast enough, causing ProvisionedThroughputExceededException.

The library has no built-in mitigation:

  • No partition key sharding/salting
  • No write coalescing or batching
  • No client-side admission control before hitting DynamoDB
  • RateLimiterUnavailable is raised but the caller has already been delayed

Reproduction

  1. Create an entity with high rate limits (e.g., 100,000 rpm)
  2. Send sustained traffic at 1,000+ req/sec to a single entity
  3. Observe DynamoDB ThrottledRequests CloudWatch metric increasing
  4. Observe acquire() latency spikes and RateLimiterUnavailable exceptions

Remediation Design: Pre-Shard Buckets

  • Move buckets to PK={ns}/BUCKET#{entity}#{resource}#{shard}, SK=#STATE, one partition per (entity, resource, shard)
  • Auto-inject wcu:1000 reserved limit on every bucket, tracks DynamoDB partition write pressure in-band (name may change during implementation)
  • Shard doubling (1→2→4→8) triggered by client on wcu exhaustion or proactively by aggregator
  • Shard 0 at suffix #0 is source of truth for shard_count. Aggregator propagates to other shards
  • Original limits stored on bucket, effective limits derived: original / shard_count. Infrastructure limits (wcu) not divided
  • Shard selection: random/round-robin. On application limit exhaustion, retry on another shard (max 2 retries)
  • Lazy shard creation on first access
  • Bucket discovery via GSI3 (KEYS_ONLY) + BatchGetItem. GSI2 for resource aggregation unchanged
  • Cascade: parent unaware, protected by own wcu
  • Aggregator: parse new PK format, key by shard_id, effective limits for refill, filter wcu from snapshots
  • Clean break migration: schema version bump, old buckets ignored, new buckets created on first access
  • $0.625/M preserved on hot path

Impact

  • Availability: High-traffic entities experience elevated latency and rejected requests beyond what their rate limits specify
  • Fairness: Other entities sharing the same DynamoDB partition may experience collateral throttling
  • Multi-tenant risk: In a shared LLM proxy scenario, one tenant's burst traffic could degrade service for others

The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap. Typical impact: resource exhaustion leading to denial of service.

CVE-2026-27695 has a CVSS score of 4.3 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.10.1); upgrading removes the vulnerable code path.

Affected versions

zae-limiter (<= 0.10.0)

Security releases

zae-limiter → 0.10.1 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade zae-limiter to 0.10.1 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-27695? CVE-2026-27695 is a medium-severity allocation of resources without limits or throttling vulnerability in zae-limiter (pip), affecting versions <= 0.10.0. It is fixed in 0.10.1. The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap.
  2. How severe is CVE-2026-27695? CVE-2026-27695 has a CVSS score of 4.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of zae-limiter are affected by CVE-2026-27695? zae-limiter (pip) versions <= 0.10.0 is affected.
  4. Is there a fix for CVE-2026-27695? Yes. CVE-2026-27695 is fixed in 0.10.1. Upgrade to this version or later.
  5. Is CVE-2026-27695 exploitable, and should I be worried? Whether CVE-2026-27695 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-27695 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-27695? Upgrade zae-limiter to 0.10.1 or later.

Other vulnerabilities in zae-limiter

Stop the waste.
Protect your environment with Kodem.