The vulnerability CVE-2026-27695 affects the zeroae zae-limiter library, a rate limiting tool that implements the token bucket algorithm to control request rates. Prior to version 0.10.1, the library stored all rate limit buckets for a single entity under the same DynamoDB partition key formatted as `namespace/ENTITY#{id}`. DynamoDB enforces throughput limits on a per-partition basis, typically around 1,000 write capacity units (WCU) per second. When a high-traffic entity generates enough requests, it can exceed these throughput limits, causing DynamoDB to throttle requests. This throttling results in degraded availability of the rate limiting service for that entity and potentially other entities sharing the same partition key. The root cause is the lack of resource allocation limits or throttling within the library's partition key design, which violates CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability does not expose sensitive data or allow unauthorized modifications but impacts service availability. The fix introduced in version 0.10.1 changes the partition key scheme to distribute rate limit buckets more evenly across partitions, preventing a single entity from overwhelming a partition's throughput. No known exploits are reported in the wild, but the vulnerability poses a risk to systems relying on zae-limiter for rate limiting in high-traffic scenarios.

The primary impact of this vulnerability is on the availability of services using the zae-limiter library for rate limiting. Organizations with high-traffic entities risk experiencing throttling from DynamoDB, which can degrade or disrupt service responsiveness. This can lead to denial of service conditions for affected entities and potentially others sharing the same DynamoDB partition, causing cascading service degradation. While confidentiality and integrity remain unaffected, the availability impact can affect user experience, operational continuity, and potentially lead to financial or reputational damage. Systems that rely heavily on zae-limiter for controlling API or service request rates are particularly vulnerable. The vulnerability could be exploited unintentionally by legitimate high traffic or intentionally by an attacker generating excessive requests to trigger throttling. The scope includes any deployment of zae-limiter versions prior to 0.10.1 using AWS DynamoDB as the backend. Given the medium CVSS score (4.3), the threat is moderate but significant in environments with high request volumes.

To mitigate this vulnerability, organizations should upgrade all instances of the zeroae zae-limiter library to version 0.10.1 or later, where the partition key scheme has been revised to prevent throughput bottlenecks. Additionally, review and redesign rate limiting configurations to ensure that high-traffic entities do not share DynamoDB partitions excessively. Implement monitoring on DynamoDB partition throttling metrics (such as ConsumedWriteCapacityUnits and ThrottledRequests) to detect early signs of resource exhaustion. Consider applying adaptive rate limiting or request shaping upstream to prevent sudden spikes in traffic. If upgrading immediately is not feasible, temporarily isolate high-traffic entities into separate namespaces or partitions to reduce shared throughput contention. Finally, conduct load testing to validate that the rate limiting infrastructure can handle expected traffic volumes without triggering throttling.