Title: [Hardening] F-14: Fail to Ensure Request Limits and/or Throttling by Default. · Issue #13342 · apache/cloudstack · GitHub
Open Graph Title: [Hardening] F-14: Fail to Ensure Request Limits and/or Throttling by Default. · Issue #13342 · apache/cloudstack
X Title: [Hardening] F-14: Fail to Ensure Request Limits and/or Throttling by Default. · Issue #13342 · apache/cloudstack
Description: The required feature described as a wish Description: By Default, CloudStack does not enforce rate limiting or request throttling on its API endpoints. Any client with network access to the management plane can issue an unlimited number ...
Open Graph Description: The required feature described as a wish Description: By Default, CloudStack does not enforce rate limiting or request throttling on its API endpoints. Any client with network access to the managem...
X Description: The required feature described as a wish Description: By Default, CloudStack does not enforce rate limiting or request throttling on its API endpoints. Any client with network access to the managem...
Opengraph URL: https://github.com/apache/cloudstack/issues/13342
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"[Hardening] F-14: Fail to Ensure Request Limits and/or Throttling by Default.","articleBody":"### The required feature described as a wish\n\n\u003cimg width=\"899\" height=\"548\" alt=\"Image\" src=\"https://github.com/user-attachments/assets/baa6832f-36ee-4e97-bd64-3bdbf21fb2ea\" /\u003e\n\n**Description:** By Default, CloudStack does not enforce rate limiting or request throttling on its API endpoints. Any client with network access to the management plane can issue an unlimited number of API requests without restriction, delay, or penalty.\n\n**Affected Components:** Management API\n\n**Impact:** An attacker or malfunctioning client can flood the API with requests, exhausting server-side resources (e.g., DB) and causing a denial of service. The absence of throttling also enables unlimited automated authentication attempts, which compounds the risk previously described in other reports.\n\n**Steps to Reproduce:**\n- Using a custom script or a fuzzing tool, send a high volume of requests in rapid succession to any API endpoint.\n- Observe that all requests are processed without any throttling, queuing delay, or rejection based on request rate.\n\n**Recommended Remediation:** Adopt rate-limiting and throttling out-of-the-box. Return `HTTP 429` with a `Retry-After` header when a threshold is exceeded, as an attempt to slow down legit clients (attackers do not slow!)","author":{"url":"https://github.com/davift","@type":"Person","name":"davift"},"datePublished":"2026-06-04T01:05:48.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/13342/cloudstack/issues/13342"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:8401c24c-432a-3237-8a26-6bcb268c89c5 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | C1FA:3730CE:32E85C4:4615CF9:6A4F26DA |
| html-safe-nonce | 8afc07a4824d498a6d1d9ac8379cd0f47c884944a42360c1ba46101450c98df4 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJDMUZBOjM3MzBDRTozMkU4NUM0OjQ2MTVDRjk6NkE0RjI2REEiLCJ2aXNpdG9yX2lkIjoiNTM4ODAzMzM0MzU4NDQxMzQwMiIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 2012ef82d36dc60b927a7fbfc4744c44c770cfb0db2d984a12df51b2ac544838 |
| hovercard-subject-tag | issue:4584878121 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13342/issue_layout |
| twitter:image | https://opengraph.githubassets.com/d7d573f9ae0f436d88612b48134fc7546ef09754de01565a518cd06420e747a2/apache/cloudstack/issues/13342 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/d7d573f9ae0f436d88612b48134fc7546ef09754de01565a518cd06420e747a2/apache/cloudstack/issues/13342 |
| og:image:alt | The required feature described as a wish Description: By Default, CloudStack does not enforce rate limiting or request throttling on its API endpoints. Any client with network access to the managem... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | davift |
| hostname | github.com |
| expected-hostname | github.com |
| None | b92d11c0aa4a77d54ef4af1078b6a15fb5a70a215b30c4ecf28889d5a8e656d9 |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 2b8f23afb982271f1b22258a94aede67a6b77760 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width