CVE-2024-8736

MEDIUM

lollms_web_ui V12 - Denial of Service via CSRF Boundary Parsing in File Upload Endpoints

Title source: llm

Description

A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms-webui version V12 (Strawberry). The vulnerability can be exploited remotely via Cross-Site Request Forgery (CSRF). Despite CSRF protection preventing file uploads, the application still processes multipart boundaries, leading to resource exhaustion. By appending additional characters to the multipart boundary, an attacker can cause the server to parse each byte of the boundary, ultimately leading to service unavailability. This vulnerability is present in the `/upload_avatar`, `/upload_app`, and `/upload_logo` endpoints.

References (1)

Core 1

Core References

Exploit

https://huntr.com/bounties/935dbc03-1b43-4dbb-b6cd-1aa95a789d4f

Scores

CVSS v3 6.5

EPSS 0.0023

EPSS Percentile 13.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (1)

lollms/lollms_web_ui 12

Published Mar 20, 2025

Tracked Since Feb 18, 2026