mirror of
https://github.com/documenso/documenso.git
synced 2026-04-24 21:36:01 +03:00
[GH-ISSUE #2474] 🛡️ Bug Report: No Rate Limit on Forgot Password — Email Flooding & Abuse Risk #688
Open
opened 2026-02-26 18:48:04 +03:00 by kerem
·
0 comments
No Branch/Tag specified
main
chore/translations
feat/signing-required-field-colors
feat/add-field-overflow-settings
chore/extract-translations
release
feat/public-completed-document-access
feat/bulk-download
docs/signing-reminders
feat/document-file-conversion
feat/prefetch-intent-navigation-links
fix/lint-project
fix/replace-linter-with-biome
fix/security-improvements
perf/dynamic-import-posthog
deps/vite-8
chore/migrate-eslint-prettier-to-oxlint-oxfmt
chore/migrate-to-pnpm
feat/add-pdf-image-renderer
feat/add-embed-v2
fix/extract-emails
feat/table-toolbar-filters
copilot/sub-pr-2478
fix/recipients-send-500
feat/external-2fa-codes
feat/protect-signing-urls
fix/checkbox-checked-values
duncan/legacy-api-endpoints
chore/block-po-files-locally
fix/default-embed-v2-document-rejection-to-false
fix/fields-dialog-title-description
copilot/sub-pr-2323
copilot/sub-pr-2267
exp/autoplace-fields
chore/server-hostname-config
fix/template-add-signers
fix/add-field-drag-drop-colors
fix/envelope-updates
feat/allow-formdata
archive/1.13.2
copilot/add-billing-section-account-page
fix/field-coordinate-bounds
feat/update-user-via-admin-dashboard
feat/expiry-links
feat/team-dashboard
feat/change-radio-direction
feat/admin-create-user-with-org
archive/v1.12.11
feat/envelopes-polish
feat/add-attachments-reworked
fix/font-size-fields
feat/improve-resend-dialog
fix/download-certificate-audit-log-safari
fix/duplicate-document-by-id
feat/document-table-filters
fix/template-migration
exp/effect
fix/migrate-template-metadata
exp/keyboard-signature
feat/document-2fa-redo
feat/add-attachments
feat/billing-redirect-flow
fix/add-api-logging
fix/duplicate-document-template-review
feat/handle-redirectto-param
feat/document-processing-status-indicator
feat/customize-doc-audit-log-certificate
feat/document-2fa
feat/organisations-backup-pls
feat/audit-logs-on-completed-document
chore/webhook-trigger-multiselect
exp/bg
chore/single-signer-wording
fix/template-uploading
feat/bin-tab
fix/staging-test
feat/rr7
squish/rr7
archive/nextjs
power-signer
fix/field-placements
fix/team-member-invites
fix/checkbox-field-bugs
fix/leaderboard-query
fix/zapier-list-documents-endpoint
feat/dictate-signers
feat/allow-same-signer-email-multiple-times
wip/rr7-next
experiment/self-sign
fix/oidc-login-error
feat/document-qrcode
feat/mau
feat/copy-links-audit-logs
chore/december-dep-upgrades
wip/rr7
wip/rr7-auth-package
wip/rr7-better-auth-demo
experiment/what-if-user-ids-were-strings-instead-of-numbers
fix/refactor-api-routes
feat/add-owner-completed-email-setting
fix/embed-whitelabel-colors
feat/delete-archive
fun/sign-with-nose
expiry-links
chore/openpage-viral-metrics
fix/sitemap
feat/signing-reminder
feat/automated-fields-signature
feat/add-polish-translations
staging
fix/open-page
openpage-api-deploy
feat/pulumi
chore/angular-embed-docs
exp/next-15
chore/select-signer
feat/save-data-on-blur
feat/save-recipients-on-blur
feat/signature-color
feat/team-email-template
chore/documenso-url
chore/add-ctas
fix/docker-setup-and-documentation
fix/document-creation-timezone
feat/telemetry
feat/integration-animation
fix/render-deployment
feat/publicProfile
feat/redirect-templates
feat/passkey-dialog
fix/refactor-use-template
chore/resend-onUpdate
chore/subject-onBlur
fix/demo-trpc-duration
fix/self-signer-custom-email-message
fix/benchmark
feat/add-myself-as-signer-temp
feat/checkbox-type
feat/update-marketing-header
experiment/queue
feat/error-demo
feat/add-document-auth-options
feat/document-2fa-test
chore/status-widget
open-page-restructure
feat/document-passkey-test
chore/form-reset
fix/neon-db-migration-test
feat/public-profile
feat/launch-week-content
webhooks_plus_api
exp/custom-field-labels
feat/accept-text-signature
feat/document-version-history
fix/delete-recipient-owners
fix/whitespace-title
feat/refresh
exp/million
feat/doc-comments
ElTimuro-patch-1
feat/teams-slugify
pr/537
date-format-setting
exp/millionjs
feat/runtime-env
chore/next-14
feat/chat-with-documents
feat/plan-limits
fix/467-bugsafari-only-unable-to-copy-document-sharing-link
feat/admin-ui-manage-instance
feat/stripe-free-tier
fix/cascade-delete-share-links
feat/marketing-share-document
feat/single-player-mode-polish
feat/next-13-5-3
chore/github-templates
docs/render-deploy
chore/code-of-conduct
chore/team
feat/add-e2e-testing
docs/minor-readme-updatess
docs/dx
feat-early-adopters
feat/open-early-adopters
fix/432-signee-doc-version-doesnt-have-sticky-signing-area
fix/446-cancel-cta-does-nothing-when-a-signer-opens-the-document
fix/445-signer-name-not-persisting
feat/resend-transport
fix/incorrect-completed-stats
feat/update-email-templates
feat/mania
feat/copy-or-tweet
feat/add-design-system-page
feat/single-player-mode
feat/completed-share-link
feat/designsystem
feat/send-email
feat/custom-emails
blog/upcoming-blog-post
feat/single-player-mode-test
feat/reset-password
blog/selfhosting-blog-post
feat/redirect-signed-document
fix/og-description
feat/universal-upload
chore/readme
chore/blogposts
fix/building-documenso-description
feat/admin-ui-metrics
feat/avatar-fallback
feat/templates
feat/blog-post-next
fix/hide-user-selection
feat/disable-sign
feat/marketing-mobile-nav
chore/remove-console-log-warn
feat/add-email-field
fix/redirect-signin-to-dashboard
feat/blog-og-image
feat/redirect-on-send
feat/billing-page
feat/profile-password-form
fix/signature-color-dark-mode
feat/inbox
feat/promise-safety
readme
chore/reduce-refetch-time
feat/update-document-flow
feat/refactor-shared-components
feat/feature-flag
feat/document-authoring
feat/pie-chart-legend
feat/open-page
docs/add-gitpod-setup
docs/add-render-deploy
docs-coventional-commits
feat/table-actions
minor/updates-google-auth-refresh
feat/add-document-animation
feat/new-email-template
feat/password-reset
fix/send-error-double-send
fix/improve-stripe-webhook-endpoint
feat/support-custom-cert-paths
feat/DOC-170-add-name-field
fix/improve-general-styling
feat/DOC-210-sign-dialog-broken-on-second-opening
bugfix-#71/invalid-email-hint
chore/optimise-deps
test-pr
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.1
v2.7.0
v2.6.1
v2.6.0
v2.5.1
v2.5.0
v2.4.0
v2.3.2
v2.3.1
v2.3.0
v2.2.8
v2.2.7
v2.2.6
v2.2.5
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.0
v2.0.14
v2.0.13
v2.0.12
v2.0.11
v2.0.10
v2.0.9
v2.0.8
v2.0.7
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.13.2
v1.13.1
v1.13.0
v1.12.10
v1.12.9
v1.12.8
v1.12.7
v1.12.6
v1.12.5
v1.12.4
v1.12.3
v1.12.2-rc.6
v1.12.2-rc.5
v1.12.2-rc.4
v1.12.2-rc.3
v1.12.2-rc.2
v1.12.2-rc.1
v1.12.2-rc.0
v1.12.1
v1.12.0
v1.12.0-rc.8
v1.12.0-rc.7
v1.12.0-rc.6
v1.12.0-rc.5
v1.12.0-rc.4
v1.12.0-rc.3
v1.12.0-rc.2
v1.12.0-rc.1
v1.12.0-rc.0
v1.11.1
v1.11.0
v1.10.3
v1.10.2
v1.10.1
v1.10.0
v1.10.0-rc.5
v1.10.0-rc.4
v1.10.0-rc.3
v1.10.0-rc.2
v1.10.0-rc.1
v1.10.0-rc.0
v1.9.1-rc.9
v1.9.1
v1.9.1-rc.8
v1.9.1-rc.7
v1.9.1-rc.6
v1.9.1-rc.5
v1.9.1-rc.4
v1.9.1-rc.3
v1.9.1-rc.2
v1.9.1-rc.1
v1.9.1-rc.0
v1.9.0
v1.9.0-rc.12
v1.9.0-rc.11
v1.9.0-rc.10
v1.9.0-rc.9
v1.9.0-rc.8
v1.9.0-rc.7
v1.9.0-rc.6
v1.9.0-rc.5
final-marketing-release
v1.9.0-rc.4
v1.9.0-rc.3
v1.9.0-rc.2
v1.9.0-rc.1
v1.9.0-rc.0
v1.8.1
v1.8.1-rc.9
v1.8.1-rc.8
v1.8.1-rc.7
v1.8.1-rc.6
v1.8.1-rc.5
v1.8.1-rc.4
v1.8.1-rc.3
v1.8.1-rc.2
v1.8.1-rc.1
v1.8.1-rc.0
v1.8.0-rc.4
v1.8.0
v1.8.0-rc.3
v1.8.0-rc.2
v1.8.0-rc.1
v1.8.0-rc.0
v1.7.2
v1.7.2-rc.4
v1.7.2-rc.3
v1.7.2-rc.2
v1.7.2-rc.1
v1.7.2-rc.0
v1.7.1-rc.3
v1.7.1
v1.7.1-rc.2
v1.7.1-rc.1
v1.7.1-rc.0
v1.7.0
v1.7.0-rc.5
v1.7.0-rc.4
v1.7.0-rc.3
v1.7.0-rc.2
v1.7.0-rc.1
v1.7.0-rc.0
v1.6.1
v1.6.1-rc.1
v1.6.1-rc.0
v1.6.0
v1.6.0-rc.3
v1.6.0-rc.2
v1.6.0-rc.1
v1.6.0-rc.0
v1.5.6
v1.5.6-rc.4
v1.5.6-rc.3
v1.5.6-rc.2
v1.5.6-rc.1
v1.5.6-rc.0
v1.5.5-rc.8
v1.5.5
v1.5.5-rc.7
v1.5.5-rc.6
v1.5.5-rc.5
v1.5.5-rc.4
v1.5.5-rc.3
v1.5.5-rc.2
v1.5.5-rc.1
v1.5.5-rc.0
v1.5.4-rc.5
v1.5.4
v1.5.4-rc.4
v1.5.4-rc.3
v1.5.4-rc.2
v1.5.4-rc.1
v1.5.4-rc.0
v1.5.3-rc.1
v1.5.3
v1.5.3-rc.0
v1.5.2-rc.8
v1.5.2
v1.5.2-rc.7
v1.5.2-rc.6
v1.5.2-rc.5
v1.5.2-rc.4
v1.5.2-rc.3
v1.5.2-rc.2
v1.5.2-rc.1
v1.5.2-rc.0
v1.5.1
v1.5.1-rc.0
v1.5.0-rc.6
v1.5.0
v1.5.0-rc.5
v1.5.0-rc.4
v1.5.0-rc.3
v1.5.0-rc.2
v1.5.0-rc.1
v1.5.0-rc.0
v1.4.0-rc.0
v1.4.0
v1.3.2-rc.0
v1.3.1-rc.2
v1.3.1
v1.3.1-rc.1
v1.3.1-rc.0
v1.3.0-rc.2
v1.3.0
v1.3.0-rc.1
v1.3.0-rc.0
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1
v1.0
v0.9
before-prettier
0.9-developer-preview
Labels
Clear labels
Mirrored from GitHub Pull Request
Compliance
Stale
apps: marketing
apps: web
community
component: api
component: integrations
component: ui
duplicate
effort: low
effort: medium
good first issue
hacktoberfest
help wanted
needs triage
needs-replication
needs-testing
on-hold
osshack
priority: high
priority: low
priority: medium
pull-request
Mirrored from GitHub Pull Request
question
roadmap
status: assigned
status: blocked
status: in progress
status: triage
type: bug
type: bug
type: bug
type: documentation
type: enhancement
type: feature
wontfix
💎 Bounty
💰 Rewarded
💰 Rewarded
No labels
Compliance
Stale
apps: marketing
apps: web
community
component: api
component: integrations
component: ui
duplicate
effort: low
effort: medium
good first issue
hacktoberfest
help wanted
needs triage
needs-replication
needs-testing
on-hold
osshack
priority: high
priority: low
priority: medium
pull-request
question
roadmap
status: assigned
status: blocked
status: in progress
status: triage
type: bug
type: bug
type: bug
type: documentation
type: enhancement
type: feature
wontfix
💎 Bounty
💰 Rewarded
💰 Rewarded
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".
No due date set.
Dependencies
No dependencies set.
Reference
starred/documenso#688
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Cyberheroes1010 on GitHub (Feb 11, 2026).
Original GitHub issue: https://github.com/documenso/documenso/issues/2474
Issue Description
Reported by: Vikash Gupta
Severity: Medium
Category: Rate Limiting Issue / Abuse Vector / Email Flooding
Summary
The Forgot Password functionality lacks proper rate limiting, allowing an attacker to send unlimited password reset emails to any registered user.
An attacker can repeatedly trigger password reset requests, resulting in email flooding to the victim’s inbox. This can cause disruption, annoyance, and potential denial of service to the victim’s email usage.
The issue indicates missing protections against automated abuse.
Steps to Reproduce
Steps to Reproduce
Go to the Forgot Password page. :- https://app.documenso.com/forgot-password
Enter a valid registered email address.
Submit the reset request.
Repeat the request multiple times through intruder attack & do 40 null payload attack !
BOOM!
POC Image
Expected Behavior
Impact
📧 Email Flooding: Victim inbox can be spammed.
🚫 User Disruption: Important emails may be missed.
🤖 Automation Risk: Attackers can script large-scale abuse.
⚠️ Brand Trust Impact: Users may view emails as spam or harassment.
Business Impact
📉 Reputation Damage: Platform emails may be flagged as spam.
📨 Email Infrastructure Cost: Increased mail server load.
🛠️ Support Burden: Users report spam/reset abuse.
🔒 Security Concern: Weak abuse-prevention controls.
CVSS v3.1 (Recommended)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Score: 5.3 — Medium
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Rationale:
No authentication required and easily repeatable, causing availability impact through email flooding.
Current Behavior
Root Cause (Likely)
Missing rate limiting on forgot password endpoint
No CAPTCHA or bot protection
No cooldown period between requests
Lack of abuse detection
Screenshots (optional)
No response
Operating System [e.g., Windows 10]
1
Browser [e.g., Chrome, Firefox]
11
Version [e.g., 2.0.1]
1
Please check the boxes that apply to this issue report.