Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
Open Source Social Network (OSSN) is open-source social networking software developed in PHP. Versions prior to 9.0 are vulnerable to resource exhaustion. An attacker can upload a specially crafted image with extreme pixel dimensions (e.g., $10000 \times 10000$ pixels). While the compressed file size on disk may be small, the server attempts to allocate significant memory and CPU cycles during the decompression and resizing process, leading to a Denial of Service (DoS) condition. It is highly recommended to upgrade to OSSN 9.0. This version introduces stricter validation of image dimensions and improved resource management during the processing phase. Those who cannot upgrade immediately can mitigate the risk by adjusting their php.ini settings to strictly limit memory_limit and max_execution_time and/or implementing a client-side and server-side check on image headers to reject files exceeding reasonable pixel dimensions (e.g., $4000 \times 4000$ pixels) before processing begins.
AnalysisAI
Resource exhaustion in Open Source Social Network (OSSN) versions prior to 9.0 allows remote unauthenticated attackers to trigger Denial of Service by uploading specially crafted images with extreme pixel dimensions (e.g., 10000×10000). While the compressed file size appears small, server-side decompression and resizing allocates excessive memory and CPU, crashing or degrading service. EPSS exploitation probability data not available, but the attack vector is straightforward (AV:N/AC:L/PR:N) with publicly documented technical details and fix commit available on GitHub. CVSS 8.2 reflects the easy remote exploitation path despite limited confidentiality impact.
Technical ContextAI
This vulnerability exploits CWE-770 (Allocation of Resources Without Limits or Throttling) in OSSN's image processing pipeline. When users upload profile pictures or other image content, OSSN uses PHP's GD library or ImageMagick to decompress and resize images. Compressed image formats like PNG or JPEG can store extreme pixel dimensions in file headers while maintaining small file sizes through compression. During server-side processing, the application allocates memory proportional to width × height × color_depth to build the uncompressed bitmap in memory. A 10000×10000 pixel image requires approximately 400MB of RAM for a 32-bit RGBA bitmap, easily exhausting PHP's default memory_limit. The affected CPE indicates all versions of opensource-socialnetwork prior to the 9.0 release are vulnerable, as they lack dimension validation before resource allocation.
RemediationAI
Upgrade to OSSN 9.0 immediately, which introduces strict image dimension validation and improved resource management during processing. The fix is implemented in commit 12357113b3be189da7f6e429979a464e4f982117 available at https://github.com/opensource-socialnetwork/opensource-socialnetwork/commit/12357113b3be189da7f6e429979a464e4f982117. For environments unable to upgrade immediately, implement layered mitigations: (1) Edit php.ini to set memory_limit to 256M or lower and max_execution_time to 30 seconds, which limits blast radius but may break legitimate large image uploads; (2) Add server-side validation rejecting images exceeding 4000×4000 pixels by parsing image headers with getimagesize() before GD/ImageMagick processing, avoiding resource allocation entirely; (3) Implement upload rate limiting (e.g., 5 uploads per user per hour) to prevent automated DoS campaigns. Note that php.ini limits alone may still allow degradation if multiple concurrent malicious uploads occur, so dimension validation is the most effective compensating control. Client-side validation provides UX improvement but is bypassable and should not be relied upon for security.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25384