diff --git a/CHANGELOG b/CHANGELOG
index 4fb867c969b4f5e1ac8e42be7024a2a8fa6360c9..acad4644f5f8126c2a5bb41ab205271e6f57f97a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
 Please view this file on the master branch, on stable branches it's out of date.
 
 v 8.3.0 (unreleased)
+  - Bump rack-attack to 4.3.1 for security fix (Stan Hu)
   - API support for starred projects for authorized user (Zeger-Jan van de Weg)
   - Add open_issues_count to project API (Stan Hu)
   - Expand character set of usernames created by Omniauth (Corey Hinshaw)
diff --git a/Gemfile b/Gemfile
index b23e274081b669af8b52ad99077644a58b3e45b6..76b4759499efdcba9969e1b4f876dd41dbae114b 100644
--- a/Gemfile
+++ b/Gemfile
@@ -175,7 +175,7 @@ gem "sanitize", '~> 2.0'
 gem 'babosa', '~> 1.0.2'
 
 # Protect against bruteforcing
-gem "rack-attack", '~> 4.3.0'
+gem "rack-attack", '~> 4.3.1'
 
 # Ace editor
 gem 'ace-rails-ap', '~> 2.0.1'
diff --git a/Gemfile.lock b/Gemfile.lock
index 4dfff2111345d77c830078a5c7e577d79fcf5e4d..88c7a6e34241f11835e8506b7f4fe65f0814685f 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -507,7 +507,7 @@ GEM
     rack (1.6.4)
     rack-accept (0.4.5)
       rack (>= 0.4)
-    rack-attack (4.3.0)
+    rack-attack (4.3.1)
       rack
     rack-cors (0.4.0)
     rack-mount (0.8.3)
@@ -908,7 +908,7 @@ DEPENDENCIES
   poltergeist (~> 1.8.1)
   pry-rails
   quiet_assets (~> 1.0.2)
-  rack-attack (~> 4.3.0)
+  rack-attack (~> 4.3.1)
   rack-cors (~> 0.4.0)
   rack-oauth2 (~> 1.2.1)
   rails (= 4.2.4)