Denial of Service via Multipart Boundary Handling
A vulnerability in Release v0.2.36 allows unauthenticated attackers to cause a denial of service by sending malformed multipart requests with excessive characters appended to the boundary. This issue was patched in a later version.
Available publicly on Dec 30 2024
Threat Overview
The vulnerability arises from the server's inability to handle excessive characters appended to multipart boundaries. When an attacker sends a malformed multipart request with arbitrary characters at the end of the boundary, the server processes each extra character in an infinite loop. This leads to excessive resource consumption, causing the server to become unresponsive and resulting in a denial of service (DoS) for all users. The exploit does not require authentication, making it easy for attackers to execute.
Attack Scenario
An attacker crafts a multipart request with a boundary that includes a large number of appended characters. The attacker sends this request to the server, which then enters an infinite loop processing the extra characters. This consumes server resources, eventually causing the server to become unresponsive and denying service to legitimate users.
Who is affected
All users of the affected version (Release v0.2.36) are impacted, as the vulnerability can be exploited without authentication. This includes any deployment of the software that is accessible over the network.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.