CVE-2024-6959

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui version 9.8

Description A Denial of Service (DOS) attack can be performed when uploading an audio file. If an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering lollms-webui inaccessible. This issue is exacerbated by the lack of Cross-Site Request Forgery (CSRF) protection, enabling remote exploitation. The issue leads to service disruption, resource exhaustion, and extended downtime.

Recommendations As a temporary workaround, consider disabling the audio file upload feature until a patch is available. Restrict access to the multipart boundary to minimize the risk of exploitation. Upgrade to a patched version immediately to mitigate the risk.