davift opened a new issue, #13342: URL: https://github.com/apache/cloudstack/issues/13342
### The required feature described as a wish <img width="899" height="548" alt="Image" src="https://github.com/user-attachments/assets/baa6832f-36ee-4e97-bd64-3bdbf21fb2ea"; /> **Description:** By Default, CloudStack does not enforce rate limiting or request throttling on its API endpoints. Any client with network access to the management plane can issue an unlimited number of API requests without restriction, delay, or penalty. **Affected Components:** Management API **Impact:** An attacker or malfunctioning client can flood the API with requests, exhausting server-side resources (e.g., DB) and causing a denial of service. The absence of throttling also enables unlimited automated authentication attempts, which compounds the risk described in F-11. **Steps to Reproduce:** - Using a custom script or a fuzzing tool, send a high volume of requests in rapid succession to any API endpoint. - Observe that all requests are processed without any throttling, queuing delay, or rejection based on request rate. **Recommended Remediation:** Adopt rate-limiting and throttling out-of-the-box. Return `HTTP 429` with a `Retry-After` header when a threshold is exceeded, as an attempt to slow down legit clients (attackers do not slow!) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
