Intel

AIKIDO-2026-681212

pyrate-limiter is vulnerable to SQL Injection

SQL Injection Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 24, 2026

59

Medium Risk

This Affects:

PYTHONpyrate-limiter
3.0.0 - 4.2.0
Fixed in 4.3.0
Are you affected? Scan for Free

TL;DR

The SQLite backend (SQLiteBucket) builds its INSERT statement by interpolating the user-supplied item name directly into the SQL string via an f-string (f"('{name}', {item.timestamp})"). The item name is the rate-limit key passed to try_acquire(name=...), which is frequently derived from untrusted request data. A crafted name containing single quotes or other SQL metacharacters breaks out of the intended VALUES clause, allowing SQL injection and crashing put on otherwise benign names. The fix binds the name and timestamp as query parameters using executemany instead of string interpolation.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and using the SQLite backend (SQLiteBucket) with an attacker-influenced rate-limit key name.

Background info

pyrate-limiter is vulnerable to SQL Injection in versions 3.0.0 - 4.2.0.

How to fix this

Upgrade the pyrate-limiter library to the patch version.