Files
3x-ui/internal
MHSanaei 0f9099149e fix(security): bound the login-limiter attempts map
The login rate limiter keys its records on the caller-supplied username and only
evicted a record when that exact key was revisited or the login succeeded. An
unauthenticated attacker replaying one CSRF token while rotating a fresh username
per request seeded a record that was never revisited, growing the map without
bound until the panel OOMs. Cap the map: before inserting a new record, reclaim
records whose block has lapsed and whose failures aged out, and if the map is
still at the ceiling under a broad flood, drop one so memory can never grow past
the cap.
2026-07-15 04:11:22 +02:00
..
2026-07-12 22:08:19 +02:00