Fides IP-Based Rate Limiting Vulnerability in Proxied Environments Allowing Denial-of-Service

A vulnerability in the Fides Webserver API's built-in IP-based rate limiting has been identified, affecting versions prior to 2.69.1. In environments with CDNs, proxies, or load balancers, the rate limiting is applied based on the immediate connection IPs rather than the actual client IPs. Additionally, the rate limit counters are stored in-memory per container, rather than in a shared store. This combination allows attackers to bypass rate limits and potentially exhaust resources, leading to a denial-of-service for legitimate clients.

Impact

Exploitation of this vulnerability allows attackers to bypass the intended rate limits, potentially causing resource exhaustion. It can also disrupt service for legitimate users by triggering rate limit responses on infrastructure IPs, which are then applied to all users.

Reproduction

The vulnerability can be reproduced by deploying Fides Webserver API versions prior to 2.69.1 in an environment with a CDN, proxy, or load balancer. Once deployed, the built-in rate limiting can be tested by exceeding the default limits, which will not be enforced correctly due to the vulnerability.

Remediation

Users are advised to upgrade to Fides version 2.69.1 or later, where this vulnerability has been patched. For deployments that cannot be upgraded, rate limiting can be implemented externally at the infrastructure level using a Web Application Firewall (WAF), API Gateway, or similar technology.