Moderate severityNVD Advisory· Published Feb 25, 2026· Updated Feb 26, 2026
zae-limiter: DynamoDB hot partition throttling enables per-entity Denial of Service
CVE-2026-27695
Description
zae-limiter is a rate limiting library using the token bucket algorithm. Prior to version 0.10.1, all rate limit buckets for a single entity share the same DynamoDB partition key (namespace/ENTITY#{id}). A high-traffic entity can exceed DynamoDB's per-partition throughput limits (~1,000 WCU/sec), causing throttling that degrades service for that entity — and potentially co-located entities in the same partition. Version 0.10.1 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
zae-limiterPyPI | < 0.10.1 | 0.10.1 |
Affected products
2- zeroae/zae-limiterv5Range: < 0.10.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-76rv-2r9v-c5m6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27695ghsaADVISORY
- github.com/zeroae/zae-limiter/commit/481ce44d818d66e31d8837bc48519660ce4c267fghsaWEB
- github.com/zeroae/zae-limiter/releases/tag/v0.10.1ghsax_refsource_MISCWEB
- github.com/zeroae/zae-limiter/security/advisories/GHSA-76rv-2r9v-c5m6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.