CRE-2025-0138

Supabase Self-Hosted: API Rate Limit Exceeded and Request ThrottlingLow

Impact: 5/10

Mitigation: 4/10

CRE-2025-0138View on GitHub

SupabaseRate LimitingThrottlingProxyPerformanceSelf-HostedPublic

Description

Detects when Supabase API requests are being rate-limited due to excessive traffic or aggressive client behavior.\nThis results in HTTP 429 responses and can indicate DDoS attacks, misconfigured clients, or insufficient\nrate limiting configuration for the application's traffic patterns.\n

Mitigation

IMMEDIATE:\n - Review rate limiting configuration in Kong\n - Identify source of excessive requests in logs\n - Temporarily increase rate limits if legitimate traffic\n - Block malicious IPs if under attack\nCONFIGURATION:\n - Adjust Kong rate limiting plugin settings:\n ```yaml\n rate-limiting:\n config:\n minute: 100 # Increase from current limits\n policy: local\n ```\n - Implement different limits for different API endpoints\n - Use Redis for distributed rate limiting if scaling\nCLIENT-SIDE:\n - Implement exponential backoff in client retry logic\n - Add request caching for frequently accessed data\n - Use WebSocket for real-time updates instead of polling\n - Implement client-side rate limiting\nMONITORING:\n - Set up alerts for high rate limit rejection rates\n - Monitor API usage patterns and trends\n - Track legitimate vs. malicious traffic\n

References

• https://docs.konghq.com/hub/kong-inc/rate-limiting/
• https://supabase.com/docs/guides/platform/rate-limits