Skip to content

[Security] No recvWindow Enforcement at SDK Level (Timestamp-Only Replay Window) #511

New issue
New issue
Open
Open
[Security] No recvWindow Enforcement at SDK Level (Timestamp-Only Replay Window)#511
@mefai-dev

Description

@mefai-dev
mefai-dev
opened on Mar 20, 2026

Bug Name

No recvWindow Enforcement at SDK Level (Timestamp-Only Replay Window)

Attack Scenario

The send_request function adds a timestamp to signed requests but never sets a recvWindow parameter. The Binance API defaults recvWindow to 5000ms. Individual endpoint methods accept recv_window but there is no configuration-level default.

Impact

Users who need tighter replay protection windows must manually add recvWindow to every request payload. The default 5000ms window may be too wide for high-security trading operations.

Components

File: common/src/binance_common/utils.py (lines 323-331). No recvWindow in ConfigurationRestAPI.

Reproduction

  1. Create a signed request using the SDK.
  2. Inspect the request parameters.
  3. No recvWindow parameter is included unless manually added.

Fix

Add a recv_window parameter to ConfigurationRestAPI that is automatically included in all signed requests when set.

Details

Finding ID: SEC-04
Severity: Low

Researcher: Independent Security Researcher -- Mefai Security Team

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions