GHSA-h45m-mgcp-q388: openssl-encrypt: TOTP rate limiter is in-memory only — not shared across workers, lost on restart

Severity: Critical

CVSS Score: 9.1

## Severity: HIGH ### Summary The TOTP brute-force rate limiter in `openssl_encrypt_server/modules/pepper/totp.py` at **lines 47-98** uses an in-memory `defaultdict(list)` as a class variable. ### Affected Code ```python class TOTPRateLimiter: def __init__(self, ...): self.attempts: Dict[str, List[datetime]] = defaultdict(list) self.lockouts: Dict[str, datetime] = {} class TOTPService: _rate_limiter = TOTPRateLimiter() # Class variable, in-memory only ``` ### Impact 1. Rate limit state is **not shared** across multiple server instances/workers — an attacker can distribute attempts 2. All rate limit state is **lost on server restart** — allows immediate retry 3. In multi-worker deployments, each worker has independent rate limit state ### Recommended Fix - Use Redis or the database for rate limit state storage - Or use a shared-memory approach for multi-worker deployments - At minimum, persist lockout state to survive restarts ### Fix Fixed in commit `2749bc0` on branch `releases/1.4.x` — added abstract RateLimitBackend with InMemoryBackend and DatabaseBackend implementations; defaults to DatabaseBackend when DB available.