A rate limiting algorithm is used to check if the user session (or IP address) has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame, HTTP servers can respond with status code 429: Too Many Requests. (wikipedia)
I just realize that on the reset password page, the request has no rate limit which then can be used to loop through one request
VIDEO POC
https://drive.google.com/file/d/1FhvPexy9NwpFD6kMTvYlXMc7xvwfhnci/view?usp=sharing
Result:
There are 2 seurity issues observed