AIKIDO-2026-11019
django-smart-ratelimit is vulnerable to Protection Mechanism Failure
61
Medium Risk
This Affects:
django-smart-ratelimitTL;DR
In v4.0.3, django-smart-ratelimit fixes multiple security issues in its rate-limiting enforcement. Authenticated users could manipulate tenant scoping via client-supplied tenant_id/headers, causing cross-tenant bucket exhaustion/bypass. Malformed IP/CIDR entries in ALLOW_LIST/DENY_LIST previously failed open (silently dropped the entire list). IPv4-mapped IPv6 addresses could bypass IPv4 allow/deny entries. Rate-limit enforcement was also ineffective in some configurations (e.g., MongoDB fixed_window counter not enforced when clock alignment was disabled; DRF throttle ignored the configured algorithm). The patch changes tenant/key derivation, validates/parses policy lists fail-fast, normalizes IP-mapped forms, and corrects algorithm/enforcement logic.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
django-smart-ratelimit is vulnerable to Protection Mechanism Failure in versions 0.0.1 - 4.0.2.
How to fix this
Upgrade the django-smart-ratelimit library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant