EUVD-2025-21052
GHSA-ggmv-j932-q89q
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Description
Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. The HTTP Gateway processes headers, but with no timeout set. With a slow loris attack, an attacker could cause Denial of Service (DoS). Exploitation does not require authentication nor authorization, so anyone can exploit it. It should nonetheless not be exploitable as it is highly recommended to bury Chall-Manager deep within the infrastructure due to its large capabilities, so no users could reach the system. Patch has been implemented by commit 1385bd8 and shipped in v0.1.4.
Analysis
CVE-2025-53634 is a Denial of Service (DoS) vulnerability in Chall-Manager's HTTP Gateway that lacks request timeout mechanisms, allowing unauthenticated attackers to execute Slow Loris attacks and exhaust server resources. The vulnerability affects Chall-Manager versions prior to v0.1.4 and has a CVSS score of 7.5 (High) with zero authentication requirements. While the vulnerability itself is not marked as actively exploited in public KEV databases, the patch is already available, and the architectural recommendation to isolate Chall-Manager deep within infrastructure significantly reduces real-world exposure.
Technical Context
Chall-Manager is a platform-agnostic challenge orchestration system that processes HTTP requests through a gateway component. The vulnerability stems from CWE-770 (Allocation of Resources Without Limits or Throttling), specifically the absence of request timeout configurations in the HTTP Gateway's header processing logic. Slow Loris attacks exploit this by sending HTTP requests with incomplete headers at a slow rate, maintaining many connections open simultaneously without completing the requests. This exhausts server connection pools and prevents legitimate requests from being processed. The root cause is inadequate resource management and lack of timeout enforcement on HTTP connections, allowing an attacker to monopolize server resources without authentication or authorization checks. The vulnerability is exacerbated by the platform-agnostic nature of the system, which may be deployed in various configurations with inconsistent security controls.
Affected Products
Chall-Manager versions prior to v0.1.4 (affected versions include 0.1.0, 0.1.1, 0.1.2, and 0.1.3). The HTTP Gateway component is the specific attack surface. No specific CPE strings are referenced in the provided data; however, the product identifier would be 'chall-manager' with version ranges <0.1.4. The vulnerability affects all platform deployments where Chall-Manager is accessible via HTTP, regardless of underlying infrastructure (Docker, Kubernetes, bare metal, cloud platforms, etc.). Organizations running v0.1.4 or later are not affected.
Remediation
Immediate remediation: Upgrade Chall-Manager to version 0.1.4 or later, which includes the security patch implemented in commit 1385bd8. For organizations unable to immediately patch, implement network-level mitigations: (1) restrict HTTP Gateway access via firewall rules to authorized internal networks only, following the vendor's strong recommendation to bury the system deep within infrastructure; (2) deploy a reverse proxy (nginx, HAProxy, Apache) in front of Chall-Manager with request timeout configurations (e.g., client_body_timeout, send_timeout in nginx); (3) implement connection limits at the proxy level to prevent Slow Loris attacks; (4) configure OS-level TCP timeouts and connection limits (net.ipv4.tcp_fin_timeout, systemctl limits); (5) monitor connection states for suspicious patterns indicating slow-rate header transmission. Long-term: ensure Chall-Manager is never exposed directly to untrusted networks and maintain current patching practices.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today