PinchTab Incomplete Request-Throttling Protection Vulnerability Allowing Unbounded API Token Brute-Forcing

A vulnerability exists in PinchTab versions 0.7.7 prior to 0.8.4, where incomplete request-throttling protections for authentication-checkable endpoints allow for unbounded brute-force attacks on API tokens. In versions 0.7.7 through 0.8.3, the 'RateLimitMiddleware' was fully implemented but not applied in the production HTTP handler chain, leaving requests unthrottled. Additionally, the middleware would have trusted client-controlled 'X-Forwarded-For' headers, allowing for header spoofing. While version 0.8.4 applied the middleware and switched to using the immediate peer IP, it still exempted the '/health' endpoint from rate limiting, leaving it vulnerable to token guessing attacks. This issue is particularly concerning in deployments where an attacker can access the API and a weak token is used.

Impact

Exploitation of this vulnerability allows for rapid guessing of API tokens on unthrottled endpoints, increasing the risk of unauthorized access, especially if weak tokens are used.

Reproduction

To reproduce this vulnerability, deploy PinchTab version 0.7.7 through 0.8.3 and ensure the 'RateLimitMiddleware' is not applied in the production handler chain. Then, send requests to an auth-checkable endpoint without the rate limit protection, such as '/health', using a weak or guessable API token. The absence of throttling responses, such as HTTP 429, will demonstrate the vulnerability.

Remediation

Users can upgrade to PinchTab version 0.8.5, where this vulnerability is fully addressed by applying the 'RateLimitMiddleware' in the production handler chain, removing exemptions for auth-checkable endpoints, and ensuring the middleware uses the immediate peer IP by default.