django-rest-passwordreset is vulnerable to User Enumeration
20
Low Risk
The password-reset request endpoint (POST .../reset_password/) discloses whether an account exists by returning HTTP 400 with an email error for unknown or ineligible accounts while returning HTTP 200 for valid ones, forming a user-enumeration oracle. The token-validation and password-confirm endpoints also hard-code throttle_classes = (), so an operator's global DRF throttle configuration is silently bypassed on these security-critical flows, and they return distinct error messages that reveal token state (missing vs expired). An unauthenticated attacker can enumerate valid accounts and, when a weak token generator is configured, brute-force reset tokens without rate limiting. The fix defaults DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE to true so the request endpoint always returns a generic 200, stops overriding global throttles on validate/confirm, and returns a single generic 404 for all token failures.
You are affected if you are using a version that falls within the vulnerable range and have not set DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE = True (available from 1.1.0 onward).
django-rest-passwordreset is vulnerable to User Enumeration in versions 0.9.0 - 1.5.0.
Upgrade the django-rest-passwordreset library to the patch version. On versions 1.1.0 and later you can also set DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE = True to close the user-enumeration oracle without upgrading.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant