DoS via Large Filename in File Upload
A Denial of Service (DoS) vulnerability was discovered in the file upload feature of FastChat version v0.2.36. The vulnerability allows an attacker to overwhelm the server by sending a file with an excessively large filename, leading to unavailability for legitimate users. The issue has not yet been patched.
Available publicly on Jan 07 2025
Threat Overview
The vulnerability arises from improper handling of form-data in the file upload endpoint. By sending a file with a very large filename, the server becomes overwhelmed and enters a state of continuous processing. This results in the server becoming unresponsive and unavailable to legitimate users. The attack does not require authentication, making it easy to exploit.
Attack Scenario
An attacker crafts a malicious payload with a very large filename and sends it to the file upload endpoint of the FastChat server. The server, unable to handle the oversized filename, becomes overwhelmed and unresponsive. This prevents legitimate users from accessing the service, effectively causing a denial of service.
Who is affected
Users and administrators of FastChat version v0.2.36 are affected by this vulnerability. Any instance of the service that exposes the file upload endpoint is at risk.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.