VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 3, 2023· Updated Oct 11, 2024

Allocation of Resources Without Limits or Throttling in ikus060/rdiffweb

CVE-2023-4138

Description

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.8.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Rdiffweb prior to 2.8.0 lacks rate limiting on the 'send me a status report' feature, allowing attackers to flood email notifications.

Vulnerability

Description

CVE-2023-4138 is an allocation of resources without limits or throttling vulnerability in Rdiffweb, a web-based backup management application [1]. The issue resides in the "send me a status report" endpoint, which prior to version 2.8.0 did not enforce any rate limiting, allowing an attacker to trigger unlimited email notifications [2].

Exploitation

Conditions

An attacker can exploit this vulnerability by sending repeated POST requests to the affected endpoint without requiring authentication [3]. The only prerequisite is network access to the Rdiffweb web interface. The commit that fixes the issue explicitly adds a rate limit to the POST method of the report controller, confirming the attack vector [3].

Impact

Successful exploitation leads to email flooding, exhausting server resources (e.g., mail transfer agent capacity) and potentially causing a denial of service for legitimate users. The impact is limited to the email notification subsystem, but it can degrade the overall availability of the service [4].

Mitigation

The vulnerability is patched in Rdiffweb version 2.8.0, which introduces rate limiting on the affected endpoint. Users are advised to upgrade to the latest version; no workaround is documented.

References
  1. GitHub - ikus060/rdiffweb: A simplified backup management software for quick access to your archives through an efficient web interface.
  2. NVD - CVE-2023-4138
  3. Merge branch 'patrik-ratelimit-send-report' into 'master' · ikus060/rdiffweb@feef0d7
  4. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rdiffwebPyPI
< 2.8.12.8.1

Affected products

2
  • ghsa-coords
    pkg:pypi/rdiffweb
    Range: < 2.8.1
  • ikus060/ikus060/rdiffwebv5
    Range: unspecified

Patches

1
feef0d7b11d8

Merge branch 'patrik-ratelimit-send-report' into 'master'

https://github.com/ikus060/rdiffwebPatrik DufresneJun 1, 2023via ghsa
commit
2 files changed · +2 0
  • rdiffweb/controller/page_pref_notification.py+1 0 modified
    @@ -134,6 +134,7 @@ def populate_obj(self, userobj):
 

 class PagePrefNotification(Controller):

     @cherrypy.expose

+    @cherrypy.tools.ratelimit(methods=['POST'])

     def default(self, **kwargs):

         # Process the parameters.

         report_form = ReportForm(obj=self.app.currentuser)
  • README.md+1 0 modified
    @@ -131,6 +131,7 @@ Professional support for Rdiffweb is available by [contacting IKUS Soft](https:/
 * Add support for SQLAlchemy v2.0
 * When reaching 100% disk usage, show quota in red to improve visibility
 * Send notification when user's quota reach 90% #46
+* Add ratelimit to "send me a status report" to avoid email flooding #272 - credit to [Nehal Pillai](https://www.linkedin.com/in/nehal-pillai-02a854172)
 
 ## 2.7.1 (2023-04-27)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.