Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated (PR:N) low-complexity request to exposed LAPI yields availability-only impact (A:H, C/I:N); AC:L since the non-default network exposure is a deployment precondition, not per-attack effort.
Primary rating from Vendor (https://github.com/crowdsecurity/crowdsec).
CVSS VectorVendor: https://github.com/crowdsecurity/crowdsec
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
The LAPI router uses gin-contrib/gzip with DefaultDecompressHandle globally (pkg/apiserver/controllers/controller.go). This middleware decompresses incoming request bodies without enforcing a maximum decompressed size.
The endpoints /v1/watchers or /v1/watchers/login require no authentication. An attacker can send small gzip-compressed JSON payloads that, when decompressed, result in hundreds of MB of valid JSON occupying server memory. Sending enough requests concurrently will cause LAPI to allocate excessive heap memory, leading the OS to forcibly terminate the process.
This vulnerability is not exploitable from the network in default configurations, as LAPI only listens on the loopback interface. If developers' applications are using a multi-server setup, LAPI will be exposed in the network, in which case they are at risk if untrusted IPs can access it.
Impact
Exploiting this vulnerability will make LAPI unreachable, meaning that bouncers will not be able to fetch new decisions (but existing decisions will still be enforced) and log processors will not be able to send alerts, effectively denying the creation of new decisions.
Workarounds
If the LAPI is exposed on the network (either directly or through a reverse proxy), for example in the case of a multi-server deployment, restrict access to trusted IP addresses.
AnalysisAI
Denial of service in CrowdSec's Local API (LAPI) HTTP router, versions 1.7.0 through 1.7.7, lets attackers exhaust process memory by posting small gzip-compressed bodies that decompress into hundreds of megabytes of valid JSON. The global gin-contrib/gzip DefaultDecompressHandle middleware decompressed request bodies with no size cap, and because /v1/watchers and /v1/watchers/login require no authentication, concurrent requests drive the OS OOM-killer to terminate LAPI. No public exploit identified at time of analysis; EPSS is low (0.07%). Impact is bounded in default deployments since LAPI listens only on loopback, but multi-server setups that expose LAPI to the network are at real risk.
Technical ContextAI
CrowdSec is an open-source collaborative intrusion-prevention system; its LAPI (Local API) is the central Go service (github.com/crowdsecurity/crowdsec) that receives alerts from log processors and serves decisions to bouncers. The router registers gin-contrib/gzip with DefaultDecompressHandle globally in pkg/apiserver/controllers/controller.go, which transparently inflates any request carrying Content-Encoding: gzip before handlers parse it. This maps to CWE-409 (Improper Handling of Highly Compressed Data / 'decompression bomb'): because inflation happens with no bound on the resulting byte count, a highly compressible payload (e.g. long runs of whitespace) yields a large amplification factor, converting a tiny network payload into a large heap allocation. The fix (commit 54a0dfe6…) introduces a BodyLimit middleware wrapping http.MaxBytesReader with an UnauthenticatedBodyLimit (2 MiB) and AuthenticatedBodyLimit (50 MiB), enforced on the decompressed stream so oversized inflated bodies are rejected with HTTP 400 'request body too large'.
RemediationAI
Vendor-released patch: upgrade CrowdSec to 1.7.8 or later, which adds BodyLimit middleware enforcing a 2 MiB cap on unauthenticated endpoints and 50 MiB on authenticated ones over the decompressed body (commits 54a0dfe6c16b7687b0da6634e0b19ef0f5d9bb30 and 56d0d6915f7f25941dc5b4f484028646f6601a37; advisory GHSA-273h-gvwr-c3qj). If you cannot upgrade immediately and LAPI is exposed on the network, restrict access to trusted IP addresses only - via host firewall rules, the reverse proxy allow-list, or by rebinding LAPI back to the loopback interface where the architecture permits; the trade-off is that legitimate remote agents/bouncers on untrusted networks must be explicitly whitelisted or they lose connectivity. Where feasible, front LAPI with a proxy that caps request body size and rejects or limits gzip-encoded bodies as a stopgap. Default loopback-only installations require no urgent action but should still be updated during normal maintenance.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45021
GHSA-273h-gvwr-c3qj