CVE-2024-12864
HIGHCVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
A Denial of Service (DoS) vulnerability was discovered in the file upload feature of netease-youdao/qanything version v2.0.0. The vulnerability is due to improper handling of form-data with a large filename in the file upload request. An attacker can exploit this vulnerability by sending a large filename, causing the server to become overwhelmed and unavailable for legitimate users. This attack does not require authentication, making it highly scalable and increasing the risk of exploitation.
Analysis
A Denial of Service (DoS) vulnerability was discovered in the file upload feature of netease-youdao/qanything version v2.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical Context
This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. A Denial of Service (DoS) vulnerability was discovered in the file upload feature of netease-youdao/qanything version v2.0.0. The vulnerability is due to improper handling of form-data with a large filename in the file upload request. An attacker can exploit this vulnerability by sending a large filename, causing the server to become overwhelmed and unavailable for legitimate users. This attack does not require authentication, making it highly scalable and increasing the risk of exploitation. Affected products include: Youdao Qanything.
Affected Products
Youdao Qanything.
Remediation
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today