The suspicious scenario involves the Zae‑Limiter rate‑limiting library, which uses a token bucket algorithm keyed by a shared DynamoDB partition key. Prior to version 0.10.1, every entity that shares the same namespace uses the identical partition identifier (namespace/ENTITY#{id}). When a single high‑traffic entity writes beyond DynamoDB’s per‑partition limit of roughly 1,000 write capacity units per second, the table throttles the requests. The throttling propagates back into the rate limiter, causing increased latency or denied writes for that entity and, because all entities share the partition, for other entities that happen to reside in the same partition. The fundamental weakness is a resource‑exhaustion flaw (CWE‑770) that results in a denial‑of‑service condition.

All releases of ZeroAE ZaE‑Limiter before 0.10.1—including 0.10.0 and earlier—are affected. The library is used in applications that implement request throttling against DynamoDB using a common partition key. The vulnerable component is identified by a CPE that matches ZeroAE ZaE‑Limiter.

The CVSS score of 4.3 deems the vulnerability medium severity. The EPSS score of less than 1% suggests an extremely low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, indicating no known active attacks. An attacker would need to generate a sustained burst of traffic against a particular entity using the library to trigger DynamoDB throttling. The likely attack vector is application‑level traffic—either through compromised application credentials or legitimate users sending high request volumes—rather than a dedicated network‑exposed service.