Description
PasswordPusher before 2.9.2 contains a brute-force vulnerability in the POST /p/:token/access endpoint that lacks route-specific rate limiting and per-push lockout mechanisms. Attackers who know a push token can systematically guess passphrases at 120 attempts per minute without triggering any push-level defense, making short or dictionary-derived passphrases practically recoverable within hours or days.
Problem types
Improper Restriction of Excessive Authentication Attempts
Product status
Any version before 2.9.2
2.9.2 (semver)
Credits
de3erve-hunter
References
github.com/...Pusher/security/advisories/GHSA-59w3-h5v2-c4xw
github.com/...Pusher/security/advisories/GHSA-59w3-h5v2-c4xw (GitHub Security Advisory (GHSA-59w3-h5v2-c4xw))
www.vulncheck.com/...se-brute-force-via-unthrottled-endpoint (VulnCheck Advisory: PasswordPusher < 2.9.2 Passphrase Brute-Force via Unthrottled Endpoint)