A high-severity vulnerability in the WebSocket API allows attackers to perform unlimited authentication attempts, significantly increasing the risk of unauthorized account access.

This vulnerability stems from a lack of improper throttling or account lockout mechanisms within the WebSocket API's authentication handler. An unauthenticated remote attacker can exploit this flaw by submitting an exhaustive number of authentication requests to crack user credentials.

The lack of authentication rate limiting poses a significant risk of account takeover and unauthorized data access. Successful exploitation could lead to the compromise of sensitive user information, administrative control over the API, and potential downstream impact on integrated systems. The CVSS score of 7.5 reflects a High severity, primarily due to the ease of automating brute-force attacks against exposed interfaces.

Immediate Action: Apply the latest security updates provided by the vendor to implement authentication request throttling and account lockout policies.

Proactive Monitoring: Review authentication logs for an unusually high volume of failed login attempts originating from single IP addresses or targeting specific accounts.

Compensating Controls: Deploy a Web Application Firewall (WAF) or API Gateway with rate-limiting rules configured to block excessive requests to authentication endpoints.

Public Exploit Available: false

The absence of authentication restrictions is a fundamental security oversight that must be addressed immediately. Organizations should prioritize the deployment of vendor-supplied patches to protect against automated credential-stuffing attacks. In the interim, strictly monitor API traffic for anomalous authentication patterns to detect and mitigate ongoing exploitation attempts.