[High] No Rate Limiting on RPC Endpoints (Security/Stability) #20

New issue

Closed

opened 2026-02-11 18:50:18 +00:00 by thabeta · 0 comments

thabeta commented 2026-02-11 18:50:18 +00:00

Owner

Copy link

Issue

The JSON-RPC handler in caddy/openrpc/handler.go lacks rate limiting. An attacker can spam expensive endpoints like services.create or rpc.discover to cause a Denial of Service (DoS) or exhaust database connections.

Impact

• DoS vulnerability allowing service degradation
• Database connection exhaustion
• Uncontrolled resource consumption

Remediation

Implement a Caddy-native or middleware-level rate limiter based on IP and User Public Key. Consider implementing:

1. Per-IP rate limiting (e.g., 100 req/min)
2. Per-user rate limiting based on public key
3. Endpoint-specific limits for expensive operations

Files Affected

• caddy/openrpc/handler.go
• caddy/openrpc/module.go (rate limiting configuration)

## Issue The JSON-RPC handler in `caddy/openrpc/handler.go` lacks rate limiting. An attacker can spam expensive endpoints like `services.create` or `rpc.discover` to cause a Denial of Service (DoS) or exhaust database connections. ## Impact - DoS vulnerability allowing service degradation - Database connection exhaustion - Uncontrolled resource consumption ## Remediation Implement a Caddy-native or middleware-level rate limiter based on IP and User Public Key. Consider implementing: 1. Per-IP rate limiting (e.g., 100 req/min) 2. Per-user rate limiting based on public key 3. Endpoint-specific limits for expensive operations ## Files Affected - `caddy/openrpc/handler.go` - `caddy/openrpc/module.go` (rate limiting configuration)

salmaelsoly self-assigned this 2026-02-15 07:03:55 +00:00

salmaelsoly referenced this issue 2026-02-15 11:43:08 +00:00

add rate limiter for rpc endpoints #25

salmaelsoly closed this issue 2026-02-16 08:09:15 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

support-socks5

development

test

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

salmaelsoly

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

geomind_code/webgateway#20

No description provided.