CVE
GHSA-h45m-mgcp-q388
openssl-encrypt: TOTP rate limiter is in-memory only — not shared across workers, lost on restart
Severity: HIGH
Summary
The TOTP brute-force rate limiter in opensslencryptserver/modules/pepper/totp.py at lines 47-98 uses an in-memory defaultdict(list) as a class variable.
Affected Code
class TOTPRateLimiter:
def __init__(self, ...):
self.attempts: Dict[str, List[datetime]] = defaultdict(list)
self.lockouts: Dict[str, datetime] = {}
class TOTPService:
_rate_limiter = TOTPRateLimiter() # Class variable, in-memory onlyImpact
- Rate limit state is not shared across multiple server instances/workers — an attacker can distribute attempts
- All rate limit state is lost on server restart — allows immediate retry
- In multi-worker deployments, each worker has independent rate limit state
Recommended Fix
- Use Redis or the database for rate limit state storage
- Or use a shared-memory approach for multi-worker deployments
- At minimum, persist lockout state to survive restarts
Fix
Fixed in commit 2749bc0 on branch releases/1.4.x — added abstract RateLimitBackend with InMemoryBackend and DatabaseBackend implementations; defaults to DatabaseBackend when DB available.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
C
H
U
-
Related Resources
No items found.
References
https://github.com/jahlives/opensslencrypt/security/advisories/GHSA-h45m-mgcp-q388, https://github.com/jahlives/opensslencrypt/commit/2749bc0949b34a5921a35fb4a3f1856fc51916de, https://github.com/jahlives/openssl_encrypt
Basic Information
Ecosystem
