CVE-2025-1451

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-1451

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1451.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-1451

Published

2025-03-20T10:15:53.777Z

Modified

2025-11-20T12:29:09.211890Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

A vulnerability in parisneo/lollms-webui v13 arises from the server's handling of multipart boundaries in file uploads. The server does not limit or validate the length of the boundary or the characters appended to it, allowing an attacker to craft requests with excessively long boundaries, leading to resource exhaustion and eventual denial of service (DoS). Despite an attempted patch in commit 483431bb, which blocked hyphen characters from being appended to the multipart boundary, the fix is insufficient. The server remains vulnerable if other characters (e.g., '4', 'a') are used instead of hyphens. This allows attackers to exploit the vulnerability using different characters, causing resource exhaustion and service unavailability.

References

https://huntr.com/bounties/63f5aea4-953b-4b38-9f10-3afe425be1d4

Affected packages

Git / github.com/parisneo/lollms-webui

Affected ranges

Type: GIT
Repo: https://github.com/parisneo/lollms-webui
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

57a3a7bab44a57ecdca8b395db67890878dadfd6

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.4

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.0.9

Other

v12

v13

v3.*

v3.0

v3.5

v4.*

v4.0

v5.*

v5.0

v6.*

v6.0

v6.5

v6.5.0

v6.5rc2

v6.7

v7.*

v7.0

v8.*

v8.0

v8.5

v9.*

v9.0

v9.1

v9.2

v9.3

v9.4

v9.5

v9.6

v9.8

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1451.json"