CVE-2024-8736

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui version V12 (Strawberry)

Description A Denial of Service (DoS) issue exists due to the application's handling of multipart boundaries in file upload endpoints. Despite CSRF protection, the server processes these boundaries, leading to resource exhaustion. An attacker can exploit this by appending characters to the multipart boundary, causing the server to parse each byte and resulting in service unavailability. The issue affects the "/upload avatar", "/upload app", and "/upload logo" endpoints.

Recommendations For parisneo/lollms-webui version V12 (Strawberry), consider disabling the file upload functionality in the "/upload avatar", "/upload app", and "/upload logo" endpoints until a patch is available to prevent exploitation. Restrict access to these endpoints to minimize the risk of resource exhaustion. Avoid processing multipart boundaries in these endpoints to mitigate the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.