CVE-2024-12759

Name of the Vulnerable Software and Affected Versions bentoml/bentoml version 1.3.9

Description The /login endpoint of the newly integrated Gradio app in bentoml/bentoml is vulnerable to a Denial of Service (DoS) attack. This vulnerability can be exploited by appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request. The server continuously processes each character, leading to excessive resource consumption and rendering the service unavailable. The issue is unauthenticated and does not require any user interaction.

Recommendations To resolve the issue in bentoml/bentoml version 1.3.9, consider disabling the /login endpoint of the Gradio app until a patch is available. As a temporary workaround, restrict access to the /login endpoint to minimize the risk of exploitation. Avoid using the endpoint with multipart boundaries that can be manipulated to cause excessive resource consumption.