express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting (all IPv4 clients share one bucket on dual-stack servers)

express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6() returns true for. This includes IPv4-mapped IPv6 addresses (::ffff:x.x.x.x), which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all IPv4-mapped addresses are zero, a /56 (or any /32 to /80) subnet mask produces the same network key (::/56) for every IPv4 client. This collapses all IPv4 traffic into a single rate-limit bucket: one client exhausting the limit causes HTTP 429 for all other IPv4 clients. This issue has been patched in versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

不加限制或调节的资源分配

express-rate-limit 安全漏洞

express-rate-limit是Express Rate Limit开源的一个请求频率限制中间件。 express-rate-limit 8.0.0至8.0.2之前版本、8.1.1之前版本、8.2.2之前版本和8.3.0之前版本存在安全漏洞，该漏洞源于默认密钥生成器对IPv4映射的IPv6地址应用子网掩码不当，可能导致所有IPv4流量被归入单一速率限制桶。

N/A

N/A