Multipart Boundary Vulnerability in parisneo/lollms-webui
CVE-2025-1451

7.5HIGH

Key Information:

Vendor
Parisneo
Status
Parisneo/lollms-webui
Vendor
CVE Published:
20 March 2025

Summary

A vulnerability exists in the parisneo/lollms-webui v13 related to the handling of multipart boundaries during file uploads. The server fails to impose restrictions on the length and contents of the boundary, permitting attackers to create requests with excessively long or specially crafted boundaries. While an attempt was made to mitigate this issue by blocking hyphen characters, the solution is inadequate, leaving the server still susceptible when other characters, such as '4' or 'a', are utilized. This oversight may result in resource exhaustion and result in denial of service, disrupting normal operations.

Affected Version(s)

parisneo/lollms-webui <= unspecified

References

https://huntr.com/bounties/63f5aea4-953b-4b38-9f10-3afe42...

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-1451 : Multipart Boundary Vulnerability in parisneo/lollms-webui | SecurityVulnerability.io