Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-6037

Summary
Assigner-@huntr_ai
Assigner Org ID-c09c270a-b464-47c1-9133-acb35b22c19a
Published At-10 Jul, 2024 | 22:43
Updated At-15 Oct, 2025 | 12:49
Rejected At-
Credits

Arbitrary Folder Creation in gaizhenbiao/chuanhuchatgpt

A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240410 allows an attacker to create arbitrary folders at any location on the server, including the root directory (C: dir). This can lead to uncontrolled resource consumption, resulting in resource exhaustion, denial of service (DoS), server unavailability, and potential data loss or corruption.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:@huntr_ai
Assigner Org ID:c09c270a-b464-47c1-9133-acb35b22c19a
Published At:10 Jul, 2024 | 22:43
Updated At:15 Oct, 2025 | 12:49
Rejected At:
▼CVE Numbering Authority (CNA)
Arbitrary Folder Creation in gaizhenbiao/chuanhuchatgpt

A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240410 allows an attacker to create arbitrary folders at any location on the server, including the root directory (C: dir). This can lead to uncontrolled resource consumption, resulting in resource exhaustion, denial of service (DoS), server unavailability, and potential data loss or corruption.

Affected Products
Vendor
gaizhenbiao
Product
gaizhenbiao/chuanhuchatgpt
Versions
Affected
  • From unspecified before 20240918 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-770CWE-770 Allocation of Resources Without Limits or Throttling
Type: CWE
CWE ID: CWE-770
Description: CWE-770 Allocation of Resources Without Limits or Throttling
Metrics
VersionBase scoreBase severityVector
3.07.5HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version: 3.0
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://huntr.com/bounties/eca6904f-f9fd-40c8-9e85-96f54daf405e
N/A
https://github.com/gaizhenbiao/chuanhuchatgpt/commit/71cb89c4c948dae5aaa0ae64b98f98e3965bdb37
N/A
Hyperlink: https://huntr.com/bounties/eca6904f-f9fd-40c8-9e85-96f54daf405e
Resource: N/A
Hyperlink: https://github.com/gaizhenbiao/chuanhuchatgpt/commit/71cb89c4c948dae5aaa0ae64b98f98e3965bdb37
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
gaizhenbiao
Product
chuanhuchatgpt
CPEs
  • cpe:2.3:a:gaizhenbiao:chuanhuchatgpt:20240410:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 20240410
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://huntr.com/bounties/eca6904f-f9fd-40c8-9e85-96f54daf405e
x_transferred
Hyperlink: https://huntr.com/bounties/eca6904f-f9fd-40c8-9e85-96f54daf405e
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@huntr.dev
Published At:10 Jul, 2024 | 23:15
Updated At:15 Oct, 2025 | 13:15

A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240410 allows an attacker to create arbitrary folders at any location on the server, including the root directory (C: dir). This can lead to uncontrolled resource consumption, resulting in resource exhaustion, denial of service (DoS), server unavailability, and potential data loss or corruption.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Secondary3.07.5HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Type: Primary
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Type: Secondary
Version: 3.0
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CPE Matches

gaizhenbiao
gaizhenbiao
>>chuanhuchatgpt>>20240410
cpe:2.3:a:gaizhenbiao:chuanhuchatgpt:20240410:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-770Primarysecurity@huntr.dev
NVD-CWE-noinfoSecondarynvd@nist.gov
CWE ID: CWE-770
Type: Primary
Source: security@huntr.dev
CWE ID: NVD-CWE-noinfo
Type: Secondary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/gaizhenbiao/chuanhuchatgpt/commit/71cb89c4c948dae5aaa0ae64b98f98e3965bdb37security@huntr.dev
N/A
https://huntr.com/bounties/eca6904f-f9fd-40c8-9e85-96f54daf405esecurity@huntr.dev
Exploit
Third Party Advisory
https://huntr.com/bounties/eca6904f-f9fd-40c8-9e85-96f54daf405eaf854a3a-2127-422b-91ae-364da2661108
Exploit
Third Party Advisory
Hyperlink: https://github.com/gaizhenbiao/chuanhuchatgpt/commit/71cb89c4c948dae5aaa0ae64b98f98e3965bdb37
Source: security@huntr.dev
Resource: N/A
Hyperlink: https://huntr.com/bounties/eca6904f-f9fd-40c8-9e85-96f54daf405e
Source: security@huntr.dev
Resource:
Exploit
Third Party Advisory
Hyperlink: https://huntr.com/bounties/eca6904f-f9fd-40c8-9e85-96f54daf405e
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

84Records found

CVE-2024-10650
Matching Score-10
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-10
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.67% / 47.46%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:11
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service (DoS) in gaizhenbiao/chuanhuchatgpt

An unauthenticated Denial of Service (DoS) vulnerability was identified in ChuanhuChatGPT version 20240918, which could be exploited by sending large data payloads using a multipart boundary. Although a patch was applied for CVE-2024-7807, the issue can still be exploited by sending data in groups with 10 characters in a line, with multiple lines. This can cause the system to continuously process these characters, resulting in prolonged unavailability of the service. The exploitation now requires low privilege if authentication is enabled due to a version upgrade in Gradio.

Action-Not Available
Vendor-gaizhenbiaogaizhenbiao
Product-chuanhuchatgptgaizhenbiao/chuanhuchatgpt
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-7807
Matching Score-10
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-10
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.60% / 44.58%
||
7 Day CHG~0.00%
Published-29 Oct, 2024 | 12:48
Updated-09 Jan, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service (DOS) in gaizhenbiao/chuanhuchatgpt

A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240628 allows for a Denial of Service (DOS) attack. When uploading a file, if an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering ChuanhuChatGPT inaccessible. This uncontrolled resource consumption can lead to prolonged unavailability of the service, disrupting operations and causing potential data inaccessibility and loss of productivity.

Action-Not Available
Vendor-gaizhenbiaogaizhenbiaogaizhenbiao
Product-chuanhuchatgptgaizhenbiao/chuanhuchatgptgaizhenbiao\/chuanhuchatgpt
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-5982
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.1||CRITICAL
EPSS-27.21% / 97.81%
||
7 Day CHG~0.00%
Published-29 Oct, 2024 | 12:46
Updated-14 Nov, 2024 | 18:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Path Traversal in gaizhenbiao/chuanhuchatgpt

A path traversal vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. The vulnerability arises from unsanitized input handling in multiple features, including user upload, directory creation, and template loading. Specifically, the load_chat_history function in modules/models/base_model.py allows arbitrary file uploads, potentially leading to remote code execution (RCE). The get_history_names function in utils.py permits arbitrary directory creation. Additionally, the load_template function in utils.py can be exploited to leak the first column of CSV files. These issues stem from improper sanitization of user inputs concatenated with directory paths using os.path.join.

Action-Not Available
Vendor-gaizhenbiaogaizhenbiaogaizhenbiao
Product-chuanhuchatgptgaizhenbiao/chuanhuchatgptgaizhenbiao\/chuanhuchatgpt
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-6036
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-10.85% / 95.32%
||
7 Day CHG~0.00%
Published-10 Jul, 2024 | 22:57
Updated-15 Jul, 2025 | 13:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service in gaizhenbiao/chuanhuchatgpt

A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240410 allows any user to restart the server at will by sending a specific request to the `/queue/join?` endpoint with `"fn_index":66`. This unrestricted server restart capability can severely disrupt service availability, cause data loss or corruption, and potentially compromise system integrity.

Action-Not Available
Vendor-gaizhenbiaogaizhenbiaogaizhenbiao
Product-chuanhuchatgptgaizhenbiao/chuanhuchatgptchuanhuchatgpt
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-6090
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.85% / 53.74%
||
7 Day CHG~0.00%
Published-27 Jun, 2024 | 18:40
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Path Traversal Vulnerability in gaizhenbiao/chuanhuchatgpt

A path traversal vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240410, allowing any user to delete other users' chat histories. This vulnerability can also be exploited to delete any files ending in `.json` on the target system, leading to a denial of service as users are unable to authenticate.

Action-Not Available
Vendor-gaizhenbiaogaizhenbiaogaizhenbiao
Product-chuanhuchatgptgaizhenbiao/chuanhuchatgptchuanhuchatgpt
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-6255
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-8.2||HIGH
EPSS-13.09% / 95.88%
||
7 Day CHG~0.00%
Published-31 Jul, 2024 | 00:00
Updated-30 Aug, 2024 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Path Traversal in gaizhenbiao/chuanhuchatgpt

A vulnerability in the JSON file handling of gaizhenbiao/chuanhuchatgpt version 20240410 allows any user to delete any JSON file on the server, including critical configuration files such as `config.json` and `ds_config_chatbot.json`. This issue arises due to improper validation of file paths, enabling directory traversal attacks. An attacker can exploit this vulnerability to disrupt the functioning of the system, manipulate settings, or potentially cause data loss or corruption.

Action-Not Available
Vendor-gaizhenbiaogaizhenbiaogaizhenbiao
Product-chuanhuchatgptgaizhenbiao/chuanhuchatgptchuanhuchatgpt
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-6038
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.65% / 46.71%
||
7 Day CHG~0.00%
Published-27 Jun, 2024 | 18:41
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ReDoS Vulnerability in gaizhenbiao/chuanhuchatgpt

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. The vulnerability is located in the filter_history function within the utils.py module. This function takes a user-provided keyword and attempts to match it against chat history filenames using a regular expression search. Due to the lack of sanitization or validation of the keyword parameter, an attacker can inject a specially crafted regular expression, leading to a denial of service condition. This can cause severe degradation of service performance and potential system unavailability.

Action-Not Available
Vendor-gaizhenbiaogaizhenbiaogaizhenbiao
Product-chuanhuchatgptgaizhenbiao/chuanhuchatgptchuanhuchatgpt
CWE ID-CWE-1333
Inefficient Regular Expression Complexity
CVE-2024-5823
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-8
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-6.5||MEDIUM
EPSS-0.53% / 40.74%
||
7 Day CHG~0.00%
Published-29 Oct, 2024 | 12:48
Updated-31 Oct, 2024 | 18:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Overwrite Vulnerability in gaizhenbiao/chuanhuchatgpt

A file overwrite vulnerability exists in gaizhenbiao/chuanhuchatgpt versions <= 20240410. This vulnerability allows an attacker to gain unauthorized access to overwrite critical configuration files within the system. Exploiting this vulnerability can lead to unauthorized changes in system behavior or security settings. Additionally, tampering with these configuration files can result in a denial of service (DoS) condition, disrupting normal system operation.

Action-Not Available
Vendor-gaizhenbiaogaizhenbiaogaizhenbiao
Product-chuanhuchatgptgaizhenbiao/chuanhuchatgptchuanhuchatgpt
CWE ID-CWE-73
External Control of File Name or Path
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2025-1451
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.59% / 43.92%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:10
Updated-15 Oct, 2025 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insufficient Patch Leading to DoS in parisneo/lollms-webui

A vulnerability in parisneo/lollms-webui v13 arises from the server's handling of multipart boundaries in file uploads. The server does not limit or validate the length of the boundary or the characters appended to it, allowing an attacker to craft requests with excessively long boundaries, leading to resource exhaustion and eventual denial of service (DoS). Despite an attempted patch in commit 483431bb, which blocked hyphen characters from being appended to the multipart boundary, the fix is insufficient. The server remains vulnerable if other characters (e.g., '4', 'a') are used instead of hyphens. This allows attackers to exploit the vulnerability using different characters, causing resource exhaustion and service unavailability.

Action-Not Available
Vendor-ParisNeo (LoLLMs)
Product-lollms_web_uiparisneo/lollms-webui
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-0182
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.66% / 47.23%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:10
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service in danswer-ai/danswer

A vulnerability in danswer-ai/danswer version 0.9.0 allows for denial of service through memory exhaustion. The issue arises from the use of a vulnerable version of the starlette package (<=0.49) via fastapi, which was patched in fastapi version 0.115.3. The vulnerability can be exploited by sending multiple requests to the /auth/saml/callback endpoint, leading to uncontrolled memory consumption and eventual denial of service.

Action-Not Available
Vendor-danswer-ai
Product-danswer-ai/danswer
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-0315
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.67% / 47.54%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:09
Updated-02 Apr, 2025 | 16:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Allocation of Resources Without Limits or Throttling in ollama/ollama

A vulnerability in ollama/ollama <=0.3.14 allows a malicious user to create a customized GGUF model file, upload it to the Ollama server, and create it. This can cause the server to allocate unlimited memory, leading to a Denial of Service (DoS) attack.

Action-Not Available
Vendor-ollamaollama
Product-ollamaollama/ollama
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-9437
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.77% / 50.93%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:10
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Denial of Service in transformeroptimus/superagi

SuperAGI version v0.0.14 is vulnerable to an unauthenticated Denial of Service (DoS) attack. The vulnerability exists in the resource upload request, where appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request causes the server to continuously process each character. This leads to excessive resource consumption and renders the service unavailable. The issue is unauthenticated and does not require any user interaction, impacting all users of the service.

Action-Not Available
Vendor-superagitransformeroptimus
Product-superagitransformeroptimus/superagi
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-8966
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.74% / 50.25%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:11
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service in gradio-app/gradio

A vulnerability in the file upload process of gradio-app/gradio version @gradio/video@0.10.2 allows for a Denial of Service (DoS) attack. An attacker can append a large number of characters to the end of a multipart boundary, causing the system to continuously process each character and issue warnings. This can render Gradio inaccessible for extended periods, disrupting services and causing significant downtime.

Action-Not Available
Vendor-gradiogradio-app
Product-videogradio-app/gradio
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-8984
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.79% / 51.83%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:09
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service (DoS) in berriai/litellm

A Denial of Service (DoS) vulnerability exists in berriai/litellm version v1.44.5. This vulnerability can be exploited by appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request. The server continuously processes each character, leading to excessive resource consumption and rendering the service unavailable. The issue is unauthenticated and does not require any user interaction, impacting all users of the service.

Action-Not Available
Vendor-litellmberriai
Product-litellmberriai/litellm
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-5497
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.60% / 44.23%
||
7 Day CHG+0.17%
Published-11 Jun, 2026 | 08:31
Updated-03 Jul, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unbounded Frame Count in video/jpeg Base64 Data URL Processing Leads to OOM DoS in vllm-project/vllm

vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory (OOM) Denial of Service (DoS) attack due to unbounded frame count processing in the `VideoMediaIO.load_base64()` method. When processing `video/jpeg` data URLs, the method splits the base64 data string on commas to extract individual JPEG frames without enforcing a frame count limit. An attacker can exploit this by crafting a single API request containing thousands of comma-separated base64-encoded JPEG frames in a data URL, causing the server to decode all frames into memory and crash due to excessive memory consumption. This vulnerability is reachable via the OpenAI-compatible chat completions API and does not require authentication.

Action-Not Available
Vendor-vllmvllm-projectRed Hat, Inc.
Product-vllmvllm-project/vllmRed Hat AI Inference ServerRed Hat OpenShift AI (RHOAI)Red Hat Enterprise Linux AI (RHEL AI) 3
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-9056
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.66% / 47.23%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:10
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service in bentoml/bentoml

BentoML version v1.3.4post1 is vulnerable to a Denial of Service (DoS) attack. The vulnerability can be exploited by appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request. This causes the server to continuously process each character, leading to excessive resource consumption and rendering the service unavailable. The issue is unauthenticated and does not require any user interaction, impacting all users of the service.

Action-Not Available
Vendor-bentoml
Product-bentoml/bentoml
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-9229
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.70% / 48.68%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:10
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service (DoS) via Multipart Boundary in stangirard/quivr

A Denial of Service (DoS) vulnerability in the file upload feature of stangirard/quivr v0.0.298 allows unauthenticated attackers to cause excessive resource consumption by appending characters to the end of a multipart boundary in an HTTP request. This leads to the server continuously processing each character, rendering the service unavailable and impacting all users.

Action-Not Available
Vendor-stangirard
Product-stangirard/quivr
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-8018
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.59% / 43.81%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:10
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service (DOS) in imartinez/privategpt

A vulnerability in imartinez/privategpt version 0.5.0 allows for a Denial of Service (DOS) attack. When uploading a file, if an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process these characters, rendering privateGPT inaccessible. This uncontrolled resource consumption can lead to prolonged unavailability of the service, disrupting operations and causing potential data inaccessibility and loss of productivity.

Action-Not Available
Vendor-pribaiimartinez
Product-privategptimartinez/privategpt
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-7768
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.73% / 49.67%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:10
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service in h2oai/h2o-3

A vulnerability in the `/3/ImportFiles` endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The endpoint takes a single GET parameter, `path`, which can be recursively set to reference itself. This leads the server to repeatedly call its own endpoint, eventually filling up the request queue and leaving the server unable to handle other requests.

Action-Not Available
Vendor-h2oh2oai
Product-h2oh2oai/h2o-3
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-9518
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-7.5||HIGH
EPSS-25.45% / 97.69%
||
7 Day CHG+0.63%
Published-13 Aug, 2019 | 20:50
Updated-14 Jan, 2025 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.

Action-Not Available
Vendor-n/aCanonical Ltd.Apple Inc.The Apache Software FoundationFedora ProjectOracle CorporationRed Hat, Inc.McAfee, LLCDebian GNU/LinuxopenSUSENode.js (OpenJS Foundation)Synology, Inc.
Product-ubuntu_linuxvs960hdsoftware_collectionsenterprise_linuxquayskynasswiftniodiskstation_managernode.jsdebian_linuxgraalvmopenshift_service_meshfedoramac_os_xvs960hd_firmwaretraffic_serverjboss_enterprise_application_platformjboss_core_servicesweb_gatewayleapn/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-9515
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-7.5||HIGH
EPSS-87.81% / 99.74%
||
7 Day CHG~0.00%
Published-13 Aug, 2019 | 20:50
Updated-14 Jan, 2025 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Action-Not Available
Vendor-n/aCanonical Ltd.Apple Inc.F5, Inc.The Apache Software FoundationFedora ProjectOracle CorporationRed Hat, Inc.McAfee, LLCDebian GNU/LinuxopenSUSENode.js (OpenJS Foundation)Synology, Inc.
Product-single_sign-onubuntu_linuxvs960hdsoftware_collectionsopenshift_container_platformopenstackenterprise_linuxquayskynasbig-ip_local_traffic_managerswiftniodiskstation_managernode.jsdebian_linuxgraalvmopenshift_service_meshfedoramac_os_xvs960hd_firmwaretraffic_serverjboss_enterprise_application_platformjboss_core_servicesweb_gatewayleapn/a
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2022-3371
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.98% / 58.01%
||
7 Day CHG~0.00%
Published-30 Sep, 2022 | 13:15
Updated-20 May, 2025 | 16:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
No limit in length of "Token name" parameter results in DOS attack /memory corruption in ikus060/rdiffweb prior to 2.5.0a3 in ikus060/rdiffweb

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a3.

Action-Not Available
Vendor-IKUS Software
Product-rdiffwebikus060/rdiffweb
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2017-3555
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-7.5||HIGH
EPSS-2.57% / 83.29%
||
7 Day CHG~0.00%
Published-24 Apr, 2017 | 19:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the Oracle iReceivables component of Oracle E-Business Suite (subcomponent: Self Registration). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iReceivables. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle iReceivables. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Action-Not Available
Vendor-Oracle Corporation
Product-ireceivablesiReceivables
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-15225
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.42% / 87.44%
||
7 Day CHG~0.00%
Published-19 Aug, 2019 | 22:57
Updated-05 Aug, 2024 | 00:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Envoy through 1.11.1, users may configure a route to match incoming path headers via the libstdc++ regular expression implementation. A remote attacker may send a request with a very long URI to result in a denial of service (memory consumption). This is a related issue to CVE-2019-14993.

Action-Not Available
Vendor-envoyproxyn/a
Product-envoyn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-11478
Matching Score-4
Assigner-Canonical Ltd.
ShareView Details
Matching Score-4
Assigner-Canonical Ltd.
CVSS Score-5.3||MEDIUM
EPSS-94.69% / 99.85%
||
7 Day CHG~0.00%
Published-18 Jun, 2019 | 23:34
Updated-16 Sep, 2024 | 23:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SACK can cause extensive memory use via fragmented resend queue

Jonathan Looney discovered that the TCP retransmission queue implementation in tcp_fragment in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commit f070ef2ac66716357066b683fb0baf55f8191a2e.

Action-Not Available
Vendor-Ivanti SoftwareCanonical Ltd.Linux Kernel Organization, IncPulse SecureF5, Inc.Red Hat, Inc.
Product-ubuntu_linuxbig-ip_webacceleratorpulse_secure_virtual_application_delivery_controllerbig-ip_application_acceleration_managerenterprise_linux_atomic_hostbig-ip_policy_enforcement_managerbig-ip_fraud_protection_serviceenterprise_linuxenterprise_linux_ausbig-ip_global_traffic_managerbig-ip_local_traffic_managerbig-ip_analyticsbig-ip_domain_name_systemconnect_securebig-ip_application_security_managerbig-ip_edge_gatewaylinux_kernelbig-ip_link_controllerenterprise_linux_euspulse_policy_securebig-ip_access_policy_managertraffix_signaling_delivery_controllerenterprise_mrgbig-ip_advanced_firewall_managerLinux kernel
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2019-11924
Matching Score-4
Assigner-Meta Platforms, Inc.
ShareView Details
Matching Score-4
Assigner-Meta Platforms, Inc.
CVSS Score-7.5||HIGH
EPSS-2.40% / 81.99%
||
7 Day CHG~0.00%
Published-20 Aug, 2019 | 19:32
Updated-04 Aug, 2024 | 23:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A peer could send empty handshake fragments containing only padding which would be kept in memory until a full handshake was received, resulting in memory exhaustion. This issue affects versions v2019.01.28.00 and above of fizz, until v2019.08.05.00.

Action-Not Available
Vendor-Facebook
Product-fizzfizz
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2017-13763
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.06% / 60.41%
||
7 Day CHG~0.00%
Published-30 Aug, 2017 | 00:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ONOS versions 1.8.0, 1.9.0, and 1.10.0 do not restrict the amount of memory allocated. The Netty payload size is not limited.

Action-Not Available
Vendor-onosprojectn/a
Product-onosn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-10171
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-1.36% / 68.29%
||
7 Day CHG~0.00%
Published-02 Aug, 2019 | 13:49
Updated-04 Aug, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was found that the fix for CVE-2018-14648 in 389-ds-base, versions 1.4.0.x before 1.4.0.17, was incorrectly applied in RHEL 7.5. An attacker would still be able to provoke excessive CPU consumption leading to a denial of service.

Action-Not Available
Vendor-Red Hat, Inc.Fedora Project
Product-389_directory_serverenterprise_linux_server_eus389-ds-base
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2017-1227
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.5||HIGH
EPSS-1.42% / 69.52%
||
7 Day CHG~0.00%
Published-31 Jul, 2017 | 21:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM Tivoli Endpoint Manager could allow a unauthorized user to consume all resources and crash the system. IBM X-Force ID: 123906.

Action-Not Available
Vendor-IBM Corporation
Product-bigfix_platformBigFix Platform
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2019-0010
Matching Score-4
Assigner-Juniper Networks, Inc.
ShareView Details
Matching Score-4
Assigner-Juniper Networks, Inc.
CVSS Score-7.5||HIGH
EPSS-2.74% / 84.35%
||
7 Day CHG~0.00%
Published-15 Jan, 2019 | 21:00
Updated-16 Sep, 2024 | 22:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Junos OS: SRX Series: Crafted HTTP traffic may cause UTM to consume all mbufs, leading to Denial of Service

An SRX Series Service Gateway configured for Unified Threat Management (UTM) may experience a system crash with the error message "mbuf exceed" -- an indication of memory buffer exhaustion -- due to the receipt of crafted HTTP traffic. Each crafted HTTP packet inspected by UTM consumes mbufs which can be identified through the following log messages: all_logs.0:Jun 8 03:25:03 srx1 node0.fpc4 : SPU3 jmpi mbuf stall 50%. all_logs.0:Jun 8 03:25:13 srx1 node0.fpc4 : SPU3 jmpi mbuf stall 51%. all_logs.0:Jun 8 03:25:24 srx1 node0.fpc4 : SPU3 jmpi mbuf stall 52%. ... Eventually the system runs out of mbufs and the system crashes (fails over) with the error "mbuf exceed". This issue only occurs when HTTP AV inspection is configured. Devices configured for Web Filtering alone are unaffected by this issue. Affected releases are Junos OS on SRX Series: 12.1X46 versions prior to 12.1X46-D81; 12.3X48 versions prior to 12.3X48-D77; 15.1X49 versions prior to 15.1X49-D101, 15.1X49-D110.

Action-Not Available
Vendor-Juniper Networks, Inc.
Product-srx5400srx1400srx5800srx110srx100srx3400srx550srx5600junossrx650srx220srx240srx3600srx210Junos OS
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2018-7582
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-37.64% / 98.35%
||
7 Day CHG~0.00%
Published-09 Mar, 2018 | 20:00
Updated-05 Aug, 2024 | 06:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

WebLog Expert Web Server Enterprise 9.4 allows Remote Denial Of Service (daemon crash) via a long HTTP Accept Header to TCP port 9991.

Action-Not Available
Vendor-weblogexpertn/a
Product-weblog_expertn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-12537
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.88% / 54.65%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:09
Updated-04 Apr, 2025 | 09:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Denial of Service in open-webui/open-webui

In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/utils/code/format` endpoint. If a malicious actor sends a POST request with an excessively high volume of content, the server could become completely unresponsive. This could lead to severe performance issues, causing the server to become unresponsive or experience significant degradation, ultimately resulting in service interruptions for legitimate users.

Action-Not Available
Vendor-openwebuiopen-webui
Product-open_webuiopen-webui/open-webui
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-12778
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.73% / 49.66%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:10
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service in aimhubio/aim

A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service (DoS) attack. The issue arises when a large number of tracked metrics are retrieved simultaneously from the Aim web API, causing the web server to become unresponsive. The root cause is the lack of a limit on the number of metrics that can be requested per call, combined with the server's single-threaded nature, leading to excessive resource consumption and blocking of the server.

Action-Not Available
Vendor-aimstackaimhubio
Product-aimaimhubio/aim
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-10714
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.59% / 43.81%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:10
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service in binary-husky/gpt_academic

A vulnerability in binary-husky/gpt_academic version 3.83 allows an attacker to cause a Denial of Service (DoS) by adding excessive characters to the end of a multipart boundary during file upload. This results in the server continuously processing each character and displaying warnings, rendering the application inaccessible. The issue occurs when the terminal shows a warning: 'multipart.multipart Consuming a byte '0x2d' in end state'.

Action-Not Available
Vendor-binary-huskybinary-husky
Product-gpt_academicbinary-husky/gpt_academic
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-11171
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.76% / 50.82%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:10
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper Input Validation in danny-avila/librechat

In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. The application uses multer middleware for handling multipart file uploads. When using in-memory storage (the default setting for multer), there is no limit on the upload file size. This can lead to a server crash due to out-of-memory errors when handling large files. An attacker without any privileges can exploit this vulnerability to cause a complete denial of service. The issue is fixed in version 0.7.6.

Action-Not Available
Vendor-librechatdanny-avila
Product-librechatdanny-avila/librechat
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-10713
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.49% / 38.48%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:08
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service (DoS) via Multipart Request in szad670401/hyperlpr

A vulnerability in szad670401/hyperlpr v3.0 allows for a Denial of Service (DoS) attack. The server fails to handle excessive characters appended to the end of multipart boundaries, regardless of the character used. This flaw can be exploited by sending malformed multipart requests with arbitrary characters at the end of the boundary, leading to excessive resource consumption and a complete denial of service for all users. The vulnerability is unauthenticated, meaning no user login or interaction is required for an attacker to exploit this issue.

Action-Not Available
Vendor-szad670401
Product-szad670401/hyperlpr
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-10051
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.53% / 41.04%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:10
Updated-10 Dec, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Denial of Service in shaunwei/realchar

Realchar version v0.0.4 is vulnerable to an unauthenticated denial of service (DoS) attack. The vulnerability exists in the file upload request handling, where appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request causes the server to continuously process each character. This leads to excessive resource consumption and renders the service unavailable. The issue is unauthenticated and does not require any user interaction, impacting all users of the service.

Action-Not Available
Vendor-shaunweishaunwei
Product-realcharshaunwei/realchar
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-10225
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.59% / 43.81%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:08
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service in haotian-liu/llava

A vulnerability in haotian-liu/llava v1.2.0 allows an attacker to cause a Denial of Service (DoS) by appending a large number of characters to the end of a multipart boundary in a file upload request. This causes the server to continuously process each character, rendering the application inaccessible.

Action-Not Available
Vendor-hliuhaotian-liu
Product-llavahaotian-liu/llava
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2018-5743
Matching Score-4
Assigner-Internet Systems Consortium (ISC)
ShareView Details
Matching Score-4
Assigner-Internet Systems Consortium (ISC)
CVSS Score-7.5||HIGH
EPSS-6.40% / 92.83%
||
7 Day CHG~0.00%
Published-09 Oct, 2019 | 14:17
Updated-17 Sep, 2024 | 02:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Limiting simultaneous TCP clients was ineffective

By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contained an error which could be exploited to grow the number of simultaneous connections beyond this limit. Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6, 9.12.0 -> 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -> 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743.

Action-Not Available
Vendor-F5, Inc.Internet Systems Consortium, Inc.
Product-big-ip_webacceleratorbig-ip_application_acceleration_managerbig-ip_policy_enforcement_managerbig-ip_fraud_protection_servicebig-ip_global_traffic_managerbig-ip_local_traffic_managerbig-ip_analyticsbig-ip_domain_name_systemiworkflowbig-ip_application_security_managerbig-ip_edge_gatewaybig-ip_link_controllerbig-iq_centralized_managemententerprise_managerbig-ip_access_policy_managerbindbig-ip_advanced_firewall_managerBIND 9
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2026-48933
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-7.5||HIGH
EPSS-2.44% / 82.35%
||
7 Day CHG+1.87%
Published-26 Jun, 2026 | 01:14
Updated-30 Jun, 2026 | 12:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB. This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.

Action-Not Available
Vendor-Node.js (OpenJS Foundation)Red Hat, Inc.
Product-node.jsnodeRed Hat Enterprise Linux 9Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Hardened Images
CWE ID-CWE-190
Integer Overflow or Wraparound
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2025-0189
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.59% / 43.92%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:10
Updated-15 Oct, 2025 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service in aimhubio/aim

In version 3.25.0 of aimhubio/aim, the tracking server is vulnerable to a denial of service attack. The server overrides the maximum size for websocket messages, allowing very large images to be tracked. This causes the server to become unresponsive to other requests while processing the large image, leading to a denial of service condition.

Action-Not Available
Vendor-aimstackaimhubio
Product-aimaimhubio/aim
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-7983
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.81% / 52.46%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:10
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service in open-webui/open-webui

In version 0.3.8 of open-webui, an endpoint for converting markdown to HTML is exposed without authentication. A maliciously crafted markdown payload can cause the server to spend excessive time converting it, leading to a denial of service. The server becomes unresponsive to other requests until the conversion is complete.

Action-Not Available
Vendor-openwebuiopen-webui
Product-open_webuiopen-webui/open-webui
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-8028
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-7.5||HIGH
EPSS-0.49% / 38.48%
||
7 Day CHG~0.00%
Published-20 Mar, 2025 | 10:09
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of Service in danswer-ai/danswer

A vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to cause a Denial of Service (DoS) by uploading a file with a malformed multipart boundary. By appending a large number of characters to the end of the multipart boundary, the server continuously processes each character, rendering the application inaccessible. This issue can be exploited by sending a single crafted request, affecting all users on the server.

Action-Not Available
Vendor-danswer-ai
Product-danswer-ai/danswer
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2018-20421
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-1.46% / 70.30%
||
7 Day CHG~0.00%
Published-24 Dec, 2018 | 03:00
Updated-17 Sep, 2024 | 01:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Go Ethereum (aka geth) 1.8.19 allows attackers to cause a denial of service (memory consumption) by rewriting the length of a dynamic array in memory, and then writing data to a single memory location with a large index number, as demonstrated by use of "assembly { mstore }" followed by a "c[0xC800000] = 0xFF" assignment.

Action-Not Available
Vendor-ethereumn/a
Product-go_ethereumn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2018-1779
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.5||HIGH
EPSS-2.49% / 82.72%
||
7 Day CHG~0.00%
Published-20 Nov, 2018 | 14:00
Updated-17 Sep, 2024 | 02:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM API Connect 2018.1 through 2018.3.7 could allow an unauthenticated attacker to cause a denial of service due to not setting limits on JSON payload size. IBM X-Force ID: 148802.

Action-Not Available
Vendor-IBM Corporation
Product-api_connectAPI Connect
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2018-1647
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-7.5||HIGH
EPSS-1.38% / 68.83%
||
7 Day CHG~0.00%
Published-05 Oct, 2018 | 13:00
Updated-16 Sep, 2024 | 20:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM QRadar Incident Forensics 7.2 and 7.3 does not properly restrict the size or amount of resources requested which could allow an unauthenticated user to cause a denial of service. IBM X-Force ID: 144650.

Action-Not Available
Vendor-IBM Corporation
Product-qradar_incident_forensicsQRadar Incident Forensics
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2018-15462
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-8.6||HIGH
EPSS-2.06% / 78.96%
||
7 Day CHG~0.00%
Published-03 May, 2019 | 14:45
Updated-19 Nov, 2024 | 19:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Firepower Threat Defense Software TCP Ingress Handler Denial of Service Vulnerability

A vulnerability in the TCP ingress handler for the data interfaces that are configured with management access to Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an increase in CPU and memory usage, resulting in a denial of service (DoS) condition. The vulnerability is due to insufficient ingress TCP rate limiting for TCP ports 22 (SSH) and 443 (HTTPS). An attacker could exploit this vulnerability by sending a crafted, steady stream of TCP traffic to port 22 or 443 on the data interfaces that are configured with management access to the affected device.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-firepower_threat_defenseCisco Firepower Threat Defense Software
CWE ID-CWE-399
Not Available
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2018-15458
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-3.07% / 86.02%
||
7 Day CHG~0.00%
Published-10 Jan, 2019 | 19:00
Updated-26 Nov, 2024 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Firepower Management Center Disk Utilization Denial of Service Vulnerability

A vulnerability in the Shell Access Filter feature of Cisco Firepower Management Center (FMC), when used in conjunction with remote authentication, could allow an unauthenticated, remote attacker to cause high disk utilization, resulting in a denial of service (DoS) condition. The vulnerability occurs because the configuration of the Shell Access Filter, when used with a specific type of remote authentication, can cause a system file to have unbounded writes. An attacker could exploit this vulnerability by sending a steady stream of remote authentication requests to the appliance when the specific configuration is applied. Successful exploitation could allow the attacker to increase the size of a system log file so that it consumes most of the disk space. The lack of available disk space could lead to a DoS condition in which the device functions could operate abnormally, making the device unstable.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-secure_firewall_management_centerCisco Firepower Management Center
CWE ID-CWE-399
Not Available
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2023-27958
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-9.1||CRITICAL
EPSS-1.62% / 73.09%
||
7 Day CHG~0.00%
Published-08 May, 2023 | 00:00
Updated-04 Nov, 2025 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.3, macOS Monterey 12.6.4, macOS Big Sur 11.7.5. A remote user may be able to cause unexpected system termination or corrupt kernel memory.

Action-Not Available
Vendor-Apple Inc.
Product-macosmacOS
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2018-12934
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-3.25% / 86.81%
||
7 Day CHG~0.00%
Published-28 Jun, 2018 | 14:00
Updated-05 Aug, 2024 | 08:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM). This can occur during execution of cxxfilt.

Action-Not Available
Vendor-n/aGNU
Product-binutilsn/a
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
  • Previous
  • 1
  • 2
  • Next
Details not found