Improper Restriction of Excessive Authentication Attempts in kareadita/kavita

Vulnerability

The vulnerability is an improper restriction of excessive authentication attempts in the login endpoint of Kavita, an open-source manga/comic reader, prior to version 0.6.0.3. The code path is reachable through the Login action in the AccountController, which does not enforce a limit on failed login attempts from a single IP or user. This allows an attacker to submit a very large number of authentication requests without being blocked. [1] [2]

Exploitation

An attacker requires network access to the Kavita instance (no prior authentication). By sending many login requests with different passwords (e.g., using a script like a dictionary or brute-force tool), the attacker can systematically attempt credential combinations. The server does not respond with any delay or block after multiple failures, enabling thousands of attempts without interruption. The commit also changed the error messages to be less specific, but the core issue is the absence of rate limiting. [1] [2]

Impact

Successful exploitation leads to an attacker gaining access to a user's account by guessing the password. The impact is a breach of confidentiality and integrity: the attacker can read, modify, or delete files accessible to the compromised account, and potentially escalate privileges if the account has administrative rights. The scope is the entire instance's data accessible to that user. [2]

Mitigation

The vulnerability is fixed in version 0.6.0.3 of Kavita, released on or about November 14, 2022. Users are advised to upgrade to this version or later. There is no known workaround for versions prior to the fix. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.