pyrate-limiter is vulnerable to SQL Injection
59
Medium Risk
The SQLite backend (SQLiteBucket) builds its INSERT statement by interpolating the user-supplied item name directly into the SQL string via an f-string (f"('{name}', {item.timestamp})"). The item name is the rate-limit key passed to try_acquire(name=...), which is frequently derived from untrusted request data. A crafted name containing single quotes or other SQL metacharacters breaks out of the intended VALUES clause, allowing SQL injection and crashing put on otherwise benign names. The fix binds the name and timestamp as query parameters using executemany instead of string interpolation.
You are affected if you are using a version that falls within the vulnerable range and using the SQLite backend (SQLiteBucket) with an attacker-influenced rate-limit key name.
pyrate-limiter is vulnerable to SQL Injection in versions 3.0.0 - 4.2.0.
Upgrade the pyrate-limiter library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant