Allocation of Resources Without Limits or Throttling in ikus060/rdiffweb
Description
Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Rdiffweb before 2.5.5 lacks rate limits on sensitive endpoints, enabling resource exhaustion and brute-force attacks via unthrottled requests.
Vulnerability
Overview
CVE-2022-4723 describes an allocation of resources without limits or throttling vulnerability in the Rdiffweb backup management software prior to version 2.5.5. The software's sensitive endpoints, including the login page, RESTful API, and the "Resend code to my email" function in two-factor authentication, lacked proper rate limiting. This allowed an attacker to make an unlimited number of requests without encountering any throttling mechanism [1][2].
Attack
Surface and Exploitation
The vulnerability is exploitable remotely without authentication for certain endpoints, such as the login page, and requires no special network position. An attacker can send a high volume of requests to unthrottled endpoints, consuming server resources (CPU, memory, or network bandwidth). The lack of rate limiting means the server will process every request, leading to resource exhaustion and potential denial of service [2]. Additionally, without request throttling, the login and two-factor authentication endpoints are susceptible to brute-force attacks [4].
Impact
Successful exploitation results in denial of service due to resource exhaustion, rendering the Rdiffweb service unavailable for legitimate users. Furthermore, the absence of rate limiting on authentication endpoints increases the risk of credential brute-forcing and unauthorized access, compromising the confidentiality and integrity of backup data managed by the software [2][4].
Mitigation
The issue was fixed in commit 6e9ee210548f6d3210704cac302cfc7cdb239765 for version 2.5.5 [2][3]. In the fix, a rate limit was introduced, defaulting to 20 requests per hour on sensitive endpoints, with an option to configure this limit via the --request-limit parameter. Users are advised to upgrade to Rdiffweb 2.5.5 or later to apply the patch [4].
- GitHub - ikus060/rdiffweb: A simplified backup management software for quick access to your archives through an efficient web interface.
- NVD - CVE-2022-4723
- advisory-database/vulns/rdiffweb/PYSEC-2022-43009.yaml at main · pypa/advisory-database
- Ratelimit "Resend code to my email" in Two-Factor Authentication view · ikus060/rdiffweb@6e9ee21
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rdiffwebPyPI | < 2.5.5 | 2.5.5 |
Affected products
2- ikus060/ikus060/rdiffwebv5Range: unspecified
Patches
16e9ee210548fRatelimit "Resend code to my email" in Two-Factor Authentication view
4 files changed · +7 −2
rdiffweb/controller/page_pref_mfa.py+1 −0 modified@@ -107,6 +107,7 @@ def validate(self, extra_validators=None): class PagePrefMfa(Controller): @cherrypy.expose + @cherrypy.tools.ratelimit(methods=['POST']) def default(self, action=None, **kwargs): form = MfaToggleForm(obj=self.app.currentuser) if form.is_submitted():
rdiffweb/core/config.py+1 −1 modified@@ -471,7 +471,7 @@ def get_parser(): metavar='LIMIT', type=int, default=20, - help='maximum number of requests per hour that can be made on sensitive endpoints. When this limit is reached, an HTTP 429 message is returned to the user or the user is logged out. This security measure is used to limit brute force attacks on the login page and the RESTful API.', + help='maximum number of requests per hour that can be made on sensitive endpoints. When this limit is reached, an HTTP 429 message is returned to the user or the user is logged out. This security measure is used to limit brute force attacks on the login page and the RESTful API. default: 20 requests / hour', ) parser.add(
rdiffweb/tools/ratelimit.py+4 −1 modified@@ -150,7 +150,10 @@ def check_ratelimit( cherrypy.request.app._ratelimit_datastore = datastore # If user is authenticated, use the username else use the ip address - token = (request.login or request.remote.ip) + '.' + (scope or request.path_info) + identifier = request.remote.ip + if hasattr(cherrypy.serving, 'session') and cherrypy.serving.session.get('_cp_username', None): + identifier = cherrypy.serving.session.get('_cp_username', None) + token = identifier + '.' + (scope or request.path_info) # Get hits count using datastore. hits = datastore.get_and_increment(token, delay, hit)
README.md+1 −0 modified@@ -113,6 +113,7 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/ * Fix loading of Charts in Status page * Ensure Gmail and other mail client doesn't create hyperlink automatically for any nodification sent by Rdiffweb to avoid phishing - credit to [Nehal Pillai](https://www.linkedin.com/in/nehal-pillai-02a854172) * Sent email notification to user when a new SSH Key get added - credit to [Nehal Pillai](https://www.linkedin.com/in/nehal-pillai-02a854172) +* Ratelimit "Resend code to my email" in Two-Factor Authentication view - credit to [Nehal Pillai](https://www.linkedin.com/in/nehal-pillai-02a854172) ## 2.5.4 (2022-12-19)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-7q4r-x5qg-mmcpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-4723ghsaADVISORY
- github.com/ikus060/rdiffweb/commit/6e9ee210548f6d3210704cac302cfc7cdb239765ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-43009.yamlghsaWEB
- huntr.dev/bounties/9369681b-8bfc-4146-a54c-c5108442d92cghsaWEB
News mentions
0No linked articles in our index yet.