CVE-2023-52075 – The ReVanced API lacks proper error caching, ca... (How to Fix)

Q: What is the severity of CVE-2023-52075?

CVE-2023-52075 has a CVSS score of 7.5 (HIGH). The ReVanced API lacks proper error caching, causing rate limits to be triggered unnecessarily and increasing server load. This leads to denial of service for all users accessing the API. Anyone using ReVanced API versions up to commit 71f81f7f20cd26fd707335bca9838fa3e7df20d2 is affected.

📋 TL;DR

The ReVanced API lacks proper error caching, causing rate limits to be triggered unnecessarily and increasing server load. This leads to denial of service for all users accessing the API. Anyone using ReVanced API versions up to commit 71f81f7f20cd26fd707335bca9838fa3e7df20d2 is affected.

💻 Affected Systems

Products:

ReVanced API

Versions: All versions up to and including commit 71f81f7f20cd26fd707335bca9838fa3e7df20d2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: This affects the API server component that feeds data to ReVanced Manager and website.

📦 What is this software?

Revanced by Revanced

View all CVEs affecting Revanced →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete API unavailability causing service disruption for all ReVanced Manager and website users, potentially extended downtime.

🟠

Likely Case

Intermittent API slowdowns and errors as rate limits are triggered, degrading user experience.

🟢

If Mitigated

Normal API operation with proper error handling and caching in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending requests to trigger rate limits, which is trivial. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit after 71f81f7f20cd26fd707335bca9838fa3e7df20d2

Vendor Advisory: https://github.com/ReVanced/revanced-api/security/advisories/GHSA-852x-grxp-8p3q

Restart Required: Yes

Instructions:

1. Update ReVanced API to latest version after commit 71f81f7f20cd26fd707335bca9838fa3e7df20d2. 2. Restart the API service. 3. Verify error caching is properly implemented.

🔧 Temporary Workarounds

Implement rate limiting with caching

all

Add error caching layer to prevent unnecessary rate limit triggers

# Requires code changes to implement proper error caching

Increase rate limit thresholds

all

Temporarily increase rate limits to reduce DoS impact

# Modify API configuration to increase rate limit values

🧯 If You Can't Patch

Implement external caching proxy (like Varnish) to handle error responses
Deploy load balancer with rate limiting capabilities

🔍 How to Verify

Check if Vulnerable:

Check if ReVanced API version is at or before commit 71f81f7f20cd26fd707335bca9838fa3e7df20d2

Check Version:

git log --oneline -1

Verify Fix Applied:

Test API with error-inducing requests and verify rate limits aren't triggered unnecessarily

📡 Detection & Monitoring

Log Indicators:

Excessive rate limit error messages
Unusual spike in 429 HTTP responses
Increased error response counts

Network Indicators:

High volume of API error responses
Increased latency for API requests
429 status code patterns

SIEM Query:

source="revanced-api" AND (status=429 OR message="rate limit") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2023-52075

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-755

Published: December 27, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/ReVanced/revanced-api/security/advisories/GHSA-852x-grxp-8p3q Vendor Advisory
https://github.com/ReVanced/revanced-api/security/advisories/GHSA-852x-grxp-8p3q Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-52075, you might also want to check these: