No limit for 'reset password' requests to Auth0

We received the following issue on our bug bounty program - The link is the link of our custom domain in Auth0.


  1. Open password reset page on https://ourCustomDoamin/dbconnections/change_password

  2. Enter mail id and intercept the request in burp and send this request to a repeater.

  3. No replay same request after some request it shown {“error”:“too_many_requests”,“error_description”:“too many requests”}

  4. Now simply add %00 on the end of the email and resend even more password reset emails.

  5. - and keep adding %00 0r %0d everytime you are rate limited. After a while you can go back to just %00 as it resets after so long. And rate limiting protection bypassed.

I putting it here FYI and understand if there’s anything we need to take care of.

I haven’t tried replicating this myself, but I’d suggest filing a bug report with Auth0. Sounds like something they would want to fix.