Sylius Rate Limiting Vulnerability in Version 2.0.2 Allows Unrestricted Brute-Force Attacks

A rate limiting vulnerability has been identified in Sylius version 2.0.2. This issue allows remote attackers to conduct unrestricted brute-force attacks on user accounts, which could lead to account compromises. Additionally, this vulnerability could cause denial-of-service for legitimate users. The Sylius core software does not include protections against brute-force attacks, leaving users to rely on external firewalls, rate-limiting middleware, or authentication providers.

Impact

Exploitation of this vulnerability could result in successful brute-force attacks on user accounts, increasing the risk of unauthorized account access. It could also disrupt normal user activities, causing frustration and potential loss of access to important account features.

Reproduction

To reproduce this vulnerability, log into a Sylius 2.0.2 application and navigate to the login page. Use an automated tool or script to send multiple login requests rapidly. The absence of rate limiting will allow these requests to go through unchecked, enabling a brute-force attack on user credentials.