CVE-2024-31994

Name of the Vulnerable Software and Affected Versions Mealie versions prior to 1.4.0

Description Mealie, a self-hosted recipe manager and meal planner, has an issue where an attacker can point the image request to an arbitrarily large file. Mealie will attempt to retrieve this file in whole, potentially leading to disk consumption if the file can be retrieved. However, given resource limitations, the more likely scenario is that the container will run out of memory (OOM) during file retrieval if the target file size exceeds the allocated memory. This can be used to force the container to infinitely restart due to OOM or crash and remain offline. The lack of rate limiting on this endpoint also allows an attacker to generate ongoing requests to any target, potentially contributing to an external-facing Denial of Service (DoS) attack.

Recommendations For versions prior to 1.4.0, update to version 1.4.0 to resolve the issue. As a temporary workaround, consider configuring docker-compose.yml to prevent infinite restarts due to OOM. Restrict access to the image request endpoint to minimize the risk of exploitation. Avoid using this endpoint until the issue is resolved.