Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
5DescriptionCVE.org
An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to cause a denial of service via the Checkout Authentication Flow component
AnalysisAI
Denial of service in Hostbill versions 2025-11-24 and 2025-12-01 allows remote unauthenticated attackers to degrade service availability through the Checkout Authentication Flow component via uncontrolled resource consumption (likely improper rate limiting). The vulnerability has a low-to-moderate CVSS score (5.3) reflecting limited impact scope, but exploitation requires no authentication or user interaction and can be triggered over the network.
Technical ContextAI
The vulnerability resides in Hostbill's Checkout Authentication Flow component and is classified as CWE-400 (Uncontrolled Resource Consumption). This CWE category typically encompasses improper rate limiting, resource exhaustion, or denial of service conditions triggered by excessive requests or resource allocation within a specific code path. The affected component is part of the payment checkout process, which is typically exposed to unauthenticated users during transaction initiation. The GitHub reference to 'Rate Limit Bypass' in the disclosure repository suggests the root cause is insufficient or absent rate limiting controls on the authentication endpoint.
RemediationAI
Upgrade Hostbill to the patched version released after 2025-12-01; consult https://hostbillapp.com/release-notes/ or the vendor security advisory at https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/ for the exact fixed version number. As a compensating control pending upgrade, implement rate limiting at the reverse proxy or load balancer level targeting the Checkout Authentication Flow endpoint (typically /checkout/auth or similar) to restrict requests per IP address to a reasonable threshold (e.g., 10 requests per minute per source IP). Monitor checkout logs for spike patterns indicating resource exhaustion attempts. If the vendor advisory specifies a particular query parameter or request characteristic triggering the issue, implement WAF rules to block malformed requests to the affected endpoint. Note that external rate limiting does not address the underlying code defect and should be treated as temporary; vendor patch application is the permanent fix.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25424