CVE-2024-31992

Name of the Vulnerable Software and Affected Versions Mealie versions prior to 1.4.0

Description The issue arises from the safe scrape html function, which uses a user-controlled URL to make requests to a remote server without rate limiting. Although there are efforts to prevent DDoS attacks by implementing timeouts, an attacker can still issue a large number of requests that will be handled in batches based on the Mealie server configuration. The chunking of responses helps mitigate memory exhaustion, but a single request to a large external file can saturate a CPU core assigned to the Mealie container. Without rate limiting, it is possible to sustain traffic against an external target indefinitely and exhaust the CPU resources assigned to the Mealie container.

Recommendations For versions prior to 1.4.0, update to version 1.4.0 to resolve the issue. As a temporary workaround, consider implementing rate limiting on requests to the safe scrape html function to prevent CPU resource exhaustion. Restrict access to external files that could be used to saturate CPU resources.