Juice Shop Security Scan Flags Missing Rate Limiting with High-Severity CVSS 7.5 Score

A scheduled security scan has uncovered a potentially significant vulnerability in the Juice Shop application, with CodeQL's automated analysis flagging a missing rate-limiting control in the project's server code. The finding carries a CVSS score of 7.5, placing it in the high-severity range and signaling a security gap that could expose the application to abuse if left unaddressed.

The vulnerability was identified in `server.ts` at line 250, where a route handler performs authorization checks but lacks rate-limiting protections. CodeQL rule `js/missing-rate-limiting` triggered the warning, noting that the absence of rate limiting on authenticated endpoints creates an opportunity for potential denial-of-service attempts or credential brute-forcing. The issue was automatically detected during a scheduled security scan on March 8, 2026, as part of the project's ongoing security monitoring workflow.

While the finding is classified at the warning level rather than a critical alert, the CVSS 7.5 score underscores the real risk that missing rate-limiting controls present in production environments. Rate limiting serves as a fundamental defense layer against automated attacks, and its absence on authorization-handling routes could allow malicious actors to overwhelm the service or systematically probe access controls without throttling. The security scan recommends reviewing the flagged code section and implementing appropriate rate-limiting mechanisms to close the gap. For a project like Juice Shop—a deliberately vulnerable web application often used for security training—the discovery highlights the importance of continuous automated security testing even in educational codebases.