Iakov

**Name of the Vulnerable Software and Affected Versions** spbu se site versions prior to 2024.01.29 **Description** The issue arises when an authenticated user uploads an avatar image with a large Unicode filename, leading to a server-side denial of service under Windows. This is due to the lack of limitation on the filename length and the costly use of Unicode normalization with the form NFKD on Windows OS. **Recommendations** For versions prior to 2024.01.29, update to the 2024.01.29 release to resolve the issue. As a temporary workaround, consider restricting the length of filenames for avatar uploads to prevent potential denial of service attacks.