SigningHub
CVE-2025-56223
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable, low-complexity resource-exhaustion with availability-only impact; PR:L assessed because reaching an e-signature upload endpoint most likely requires an authenticated session despite NVD's PR:N.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
A lack of rate limiting in the component /Home/UploadStreamDocument of SigningHub v8.6.8 allows attackers to cause a Denial of Service (DoS) via uploading an excessive number of files.
AnalysisAI
Denial of service in Ascertia SigningHub v8.6.8 stems from a missing rate limit on the /Home/UploadStreamDocument endpoint, letting attackers flood the server with an excessive number of file uploads until resources are exhausted and the e-signature service becomes unavailable. The CVSS vector marks it network-reachable and unauthenticated (PR:N) with high availability impact but no confidentiality or integrity effect. A GitHub repository (saykino/CVE-2025-56223) associated with the CVE indicates publicly available exploit code exists; the flaw is not in CISA KEV and EPSS exploitation probability is modest at 0.54%.
Technical ContextAI
SigningHub is Ascertia's web-based enterprise digital-signature and document-workflow platform (CPE cpe:2.3:a:ascertia:signinghub). The affected component, the /Home/UploadStreamDocument controller action, streams uploaded documents into the application. The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling): the endpoint accepts uploads without enforcing a rate limit, quota, or throttle, so repeated or high-volume upload requests can consume disk, memory, CPU, or connection resources faster than the server can reclaim them. This is a resource-management weakness rather than a memory-corruption or logic bug, so it does not yield code execution or data disclosure - only availability degradation.
RemediationAI
No vendor-released patch version was identified at time of analysis - the references contain only the vendor homepage (http://signinghub.com) and a researcher GitHub page (https://github.com/saykino/CVE-2025-56223), not a tagged fix release; administrators should contact Ascertia support to confirm a fixed build beyond 8.6.8. As specific compensating controls: enforce rate limiting and per-session upload quotas on the /Home/UploadStreamDocument endpoint at a reverse proxy or WAF (e.g. limit requests per IP/session per interval), which throttles abuse but may inconvenience legitimate bulk uploaders; cap maximum upload size and per-account storage quotas to bound disk exhaustion, at the cost of rejecting large legitimate documents; require and verify authentication on the upload path if not already enforced, reducing anonymous abuse; and monitor for upload-volume spikes with alerting so operators can respond before full resource exhaustion. Restricting network access to the SigningHub interface to trusted networks/VPN further narrows the attack surface where deployment allows.
More in Signinghub
View allArbitrary code execution in Ascertia SigningHub v8.6.8 stems from an unrestricted file upload weakness that lets an atta
Authentication bypass in Ascertia SigningHub v8.6.8 lets remote unauthenticated attackers brute-force the One-Time Passw
Uncontrolled account creation in Ascertia SigningHub v8.6.8 allows an attacker to repeatedly add user accounts with no r
In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the reset password function, leading to an ema
In Ascertia SigningHub through 8.6.8, there is a lack of rate limiting on the invite user function, leading to an email
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today