Skip to main content

DivvyDrive CVE-2025-14341

| EUVDEUVD-2025-209720 HIGH
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-05-07 TR-CERT GHSA-9439-7mjc-q3p7
8.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.3 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 07, 2026 - 15:02 EUVD
Analysis Generated
May 07, 2026 - 14:30 vuln.today
CVE Published
May 07, 2026 - 13:13 nvd
HIGH 8.3

DescriptionCVE.org

Improperly controlled modification of Dynamically-Determined object attributes, Allocation of resources without limits or throttling vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Excessive Allocation, Flooding.

This issue affects DivvyDrive: from 4.8.2.19 before 4.8.3.2.

AnalysisAI

Remote attackers can cause excessive resource allocation and flooding attacks in DivvyDrive 4.8.2.19 through 4.8.3.1 by exploiting uncontrolled object attribute modification combined with absent resource throttling. The vulnerability permits low confidentiality impact but high integrity and availability compromise when a user interacts with attacker-controlled content. TR-CERT has issued an advisory, though no CISA KEV listing or public exploit code has been identified at time of analysis. EPSS data not available to assess exploitation probability.

Technical ContextAI

This vulnerability combines CWE-915 (improperly controlled modification of dynamically-determined object attributes, also known as 'prototype pollution' or 'mass assignment') with resource exhaustion weaknesses. DivvyDrive appears to be a file sharing or cloud storage platform based on vendor naming. The flaw likely allows attackers to manipulate object properties that control resource allocation decisions, bypassing intended limits on storage, uploads, requests, or other consumable resources. The CVSS vector indicates network-accessible exploitation with low complexity, requiring user interaction but no authentication, suggesting the attack may be triggered through crafted links, malicious file uploads, or API requests processed by authenticated users.

RemediationAI

Upgrade DivvyDrive to version 4.8.3.2 or later, which addresses the object attribute modification and resource allocation issues per TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182. Organizations unable to immediately patch should implement compensating controls: deploy web application firewall rules to detect and block requests with excessive or malformed object properties; enforce strict rate limiting on API endpoints and upload operations at the infrastructure layer (reverse proxy or load balancer); implement input validation to whitelist permitted object attributes and reject dynamic property assignment; monitor resource consumption metrics for anomalous spikes indicating exploitation attempts. Note that WAF and rate limiting may impact legitimate high-volume users and require tuning. Input validation changes require careful testing to avoid breaking application functionality that relies on dynamic object handling.

Share

CVE-2025-14341 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy