No Rate Limit On migrate-email Endpoint Leads to Brute-force Attack in kareadita/kavita


Reported on

Oct 27th 2022

The migrate-email endpoint is requiring Email, Username, and Password parameter. This endpoint contain authentication functionality that doesn't have any protection from brute-force attack, which allows an attacker to try every possible password combination without any restriction.

CWE-307: Improper Restriction of Excessive Authentication Attempts


1. Send this request to Burpsuite Intruder

POST /api/account/migrate-email HTTP/1.1
Accept: application/json, text/plain, */*
DNT: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,id-ID;q=0.8,id;q=0.7,ar-SA;q=0.6,ar;q=0.5
Connection: close
Content-Type: application/json
Content-Length: 67


2. Mark on the Password value

3. Bruteforce attack with 1000 password list and get valid admin password


An attacker could perform a brute-force attack targeting normal and administrative users, using different passwords and eventually gain access to the targeted account, without any restriction.

We are processing your report and will contact the kareadita/kavita team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
We have contacted a member of the kareadita/kavita team and are waiting to hear back a year ago
kareadita/kavita maintainer has acknowledged this report a year ago
Joe Milazzo
a year ago


This is valid and I will fix it. Nice catch

Joe Milazzo validated this vulnerability a year ago
zetc0de has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joe Milazzo marked this as fixed in with commit f8db37 a year ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
a year ago


@admin can disclose this report? Also can to assign cve for this vulnerability?

Joe Milazzo
a year ago


This is not ready for disclosure. Hence why it's not disclosed. When it is in our stable release, I will disclose this (and all orhers raised by you).

Joe Milazzo published this vulnerability a year ago
to join this conversation