Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Improperly controlled modification of Dynamically-Determined object attributes, Allocation of resources without limits or throttling vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Excessive Allocation, Flooding.
This issue affects DivvyDrive: from 4.8.2.19 before 4.8.3.2.
AnalysisAI
Remote attackers can cause excessive resource allocation and flooding attacks in DivvyDrive 4.8.2.19 through 4.8.3.1 by exploiting uncontrolled object attribute modification combined with absent resource throttling. The vulnerability permits low confidentiality impact but high integrity and availability compromise when a user interacts with attacker-controlled content. TR-CERT has issued an advisory, though no CISA KEV listing or public exploit code has been identified at time of analysis. EPSS data not available to assess exploitation probability.
Technical ContextAI
This vulnerability combines CWE-915 (improperly controlled modification of dynamically-determined object attributes, also known as 'prototype pollution' or 'mass assignment') with resource exhaustion weaknesses. DivvyDrive appears to be a file sharing or cloud storage platform based on vendor naming. The flaw likely allows attackers to manipulate object properties that control resource allocation decisions, bypassing intended limits on storage, uploads, requests, or other consumable resources. The CVSS vector indicates network-accessible exploitation with low complexity, requiring user interaction but no authentication, suggesting the attack may be triggered through crafted links, malicious file uploads, or API requests processed by authenticated users.
RemediationAI
Upgrade DivvyDrive to version 4.8.3.2 or later, which addresses the object attribute modification and resource allocation issues per TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182. Organizations unable to immediately patch should implement compensating controls: deploy web application firewall rules to detect and block requests with excessive or malformed object properties; enforce strict rate limiting on API endpoints and upload operations at the infrastructure layer (reverse proxy or load balancer); implement input validation to whitelist permitted object attributes and reject dynamic property assignment; monitor resource consumption metrics for anomalous spikes indicating exploitation attempts. Note that WAF and rate limiting may impact legitimate high-volume users and require tuning. Input validation changes require careful testing to avoid breaking application functionality that relies on dynamic object handling.
More in Divvydrive
View allStored cross-site scripting in DivvyDrive 4.8.2.9 through 4.8.3.1 enables remote attackers to inject malicious scripts t
Cross-site scripting (XSS) in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote unauthenticated attackers to execute arbi
Cross-Site Request Forgery in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote attackers to execute unauthorized actions
Stored cross-site scripting in DivvyDrive (versions 4.8.2.23 through before 4.8.3.1) allows authenticated low-privilege
Stored XSS in DivvyDrive versions v.4.8.2.23 through before v.4.8.3.1 enables an authenticated low-privilege user to inj
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209720
GHSA-9439-7mjc-q3p7