Add failed security answer attempt counter and automatic account lock after five consecutive failures in resetPassword route.

[zeropath-ai-dev]

Summary

• The Vulnerability Description:
  Previously, the application did not limit the number of failed security answer attempts during password reset—each incorrect answer simply returned a 401 status with no other action, allowing attackers to attempt unlimited guesses (brute-force).

• This Fix:
  The patch introduces tracking of failed security answer attempts per user and automatically locks the user’s account using lockAccount(userId) after five incorrect attempts within a one-hour window.

• The Cause of the Issue:
  Lack of state-tracking for failed answer attempts meant attackers had unlimited chances to guess security answers, significantly reducing the effectiveness of this authentication factor.

• The Patch Implementation:
  The code adds a failedAttempts Map to store attempt counts and timestamps for each user; after five failures in one hour, it logs and locks the account, preventing further brute-force attempts.

Vulnerability Details

• Vulnerability Class: Natural Language Rule Violation
• Severity: 10.0
• Affected File: routes/resetPassword.ts
• Vulnerable Lines: 47-49

Code Snippets

diff --git a/routes/resetPassword.ts b/routes/resetPassword.ts
index 235be1b45..236df0a5a 100644
--- a/routes/resetPassword.ts
+++ b/routes/resetPassword.ts
@@ -14,6 +14,11 @@ import challengeUtils = require('../lib/challengeUtils')
 const users = require('../data/datacache').users
 const security = require('../lib/insecurity')
 
+// track failed security answer attempts per user
+const failedAttempts: Map<number, { count: number; firstAttempt: Date }> = new Map()
+const MAX_FAILED_ATTEMPTS = 5
+const ATTEMPT_WINDOW_MS = 60 * 60 * 1000 // 1 hour
+
 module.exports = function resetPassword () {
   return ({ body, connection }: Request, res: Response, next: NextFunction) => {
     const email = body.email
@@ -45,7 +50,32 @@ module.exports = function resetPassword () {
             next(error)
           })
         } else {
-          res.status(401).send(res.__('Wrong answer to security question.'))
+          // handle failed security answer attempts with threshold and time window
+          const userId = data?.UserId
+          if (userId == null) {
+            return res.status(401).send(res.__('Wrong answer to security question.'))
+          }
+          const now = new Date()
+          let record = failedAttempts.get(userId)
+          if (record) {
+            // reset window if expired
+            if (now.getTime() - record.firstAttempt.getTime() > ATTEMPT_WINDOW_MS) {
+              record = { count: 1, firstAttempt: now }
+            } else {
+              record.count += 1
+            }
+          } else {
+            record = { count: 1, firstAttempt: now }
+          }
+          failedAttempts.set(userId, record)
+          if (record.count >= MAX_FAILED_ATTEMPTS) {
+            try {
+              security.lockAccount(userId)
+            } catch (err) {
+              console.error('Failed to lock account for user', userId, err)
+            }
+          }
+          return res.status(401).send(res.__('Wrong answer to security question.'))
         }
       }).catch((error: unknown) => {
         next(error)

How to Modify the Patch

You can modify this patch by using one of the two methods outlined below. We recommend using the @zeropath-ai-dev bot for updating the code. If you encounter any bugs or issues with the patch, please report them here.

Ask @zeropath-ai-dev!

To request modifications, please post a comment beginning with @zeropath-ai-dev and specify the changes required.

@zeropath-ai-dev will then implement the requested adjustments and commit them to the specified branch in this pull request. Our bot is capable of managing changes across multiple files and various development-related requests.

Manually Modify the Files

# Checkout created branch:
git checkout zvuln_fix_natural_language_rule_violation_1755145392900580

# if vscode is installed run (or use your favorite editor / IDE):
code routes/resetPassword.ts

# Add, commit, and push changes:
git add -A
git commit -m "Update generated patch with x, y, and z changes."
git push zvuln_fix_natural_language_rule_violation_1755145392900580