Skip to main content

Security controls bypass or absence


The system has security controls that can be bypassed.


Send multiple requests to the server without control.


Limit the number of requests that can be made by the same host in defined time slots.


Anonymous attacker from the Internet.

Expected Remediation Time

⌚ 120 minutes.


Default score using CVSS 3.1. It may change depending on the context of the vulnerability.


  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N


  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X


  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 5.3
    • Temporal: 5.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application correctly sets up a limit to the number of requests based on the business needs

import rateLimit from 'express-rate-limit';
//Middleware that limits the amount of requests
export const rateLimiter = rateLimit({
windowMs: 24 * 60 * 60 * 1000,
max: 100,
message: 'You have exceeded the 100 requests in 24 hrs limit!',
headers: true,

Non compliant code

There is no limit to the number of request which could overload the server

const rateLimit = require("express-rate-limit");
const apiLimiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: None