Skip to main content

CrowdSec LAPI CVE-2026-44981

| EUVDEUVD-2026-45021 HIGH
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
2026-05-27 https://github.com/crowdsecurity/crowdsec GHSA-273h-gvwr-c3qj
8.2
CVSS 4.0 · Vendor: https://github.com/crowdsecurity/crowdsec
Share

Severity by source

Vendor (https://github.com/crowdsecurity/crowdsec) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Unauthenticated (PR:N) low-complexity request to exposed LAPI yields availability-only impact (A:H, C/I:N); AC:L since the non-default network exposure is a deployment precondition, not per-attack effort.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/crowdsecurity/crowdsec).

CVSS VectorVendor: https://github.com/crowdsecurity/crowdsec

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 16, 2026 - 20:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 16, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Jul 16, 2026 - 20:22 NVD
8.2 (HIGH)
Source Code Evidence Fetched
May 27, 2026 - 21:26 vuln.today
Analysis Generated
May 27, 2026 - 21:26 vuln.today

DescriptionCVE.org

The LAPI router uses gin-contrib/gzip with DefaultDecompressHandle globally (pkg/apiserver/controllers/controller.go). This middleware decompresses incoming request bodies without enforcing a maximum decompressed size.

The endpoints /v1/watchers or /v1/watchers/login require no authentication. An attacker can send small gzip-compressed JSON payloads that, when decompressed, result in hundreds of MB of valid JSON occupying server memory. Sending enough requests concurrently will cause LAPI to allocate excessive heap memory, leading the OS to forcibly terminate the process.

This vulnerability is not exploitable from the network in default configurations, as LAPI only listens on the loopback interface. If developers' applications are using a multi-server setup, LAPI will be exposed in the network, in which case they are at risk if untrusted IPs can access it.

Impact

Exploiting this vulnerability will make LAPI unreachable, meaning that bouncers will not be able to fetch new decisions (but existing decisions will still be enforced) and log processors will not be able to send alerts, effectively denying the creation of new decisions.

Workarounds

If the LAPI is exposed on the network (either directly or through a reverse proxy), for example in the case of a multi-server deployment, restrict access to trusted IP addresses.

AnalysisAI

Denial of service in CrowdSec's Local API (LAPI) HTTP router, versions 1.7.0 through 1.7.7, lets attackers exhaust process memory by posting small gzip-compressed bodies that decompress into hundreds of megabytes of valid JSON. The global gin-contrib/gzip DefaultDecompressHandle middleware decompressed request bodies with no size cap, and because /v1/watchers and /v1/watchers/login require no authentication, concurrent requests drive the OS OOM-killer to terminate LAPI. No public exploit identified at time of analysis; EPSS is low (0.07%). Impact is bounded in default deployments since LAPI listens only on loopback, but multi-server setups that expose LAPI to the network are at real risk.

Technical ContextAI

CrowdSec is an open-source collaborative intrusion-prevention system; its LAPI (Local API) is the central Go service (github.com/crowdsecurity/crowdsec) that receives alerts from log processors and serves decisions to bouncers. The router registers gin-contrib/gzip with DefaultDecompressHandle globally in pkg/apiserver/controllers/controller.go, which transparently inflates any request carrying Content-Encoding: gzip before handlers parse it. This maps to CWE-409 (Improper Handling of Highly Compressed Data / 'decompression bomb'): because inflation happens with no bound on the resulting byte count, a highly compressible payload (e.g. long runs of whitespace) yields a large amplification factor, converting a tiny network payload into a large heap allocation. The fix (commit 54a0dfe6…) introduces a BodyLimit middleware wrapping http.MaxBytesReader with an UnauthenticatedBodyLimit (2 MiB) and AuthenticatedBodyLimit (50 MiB), enforced on the decompressed stream so oversized inflated bodies are rejected with HTTP 400 'request body too large'.

RemediationAI

Vendor-released patch: upgrade CrowdSec to 1.7.8 or later, which adds BodyLimit middleware enforcing a 2 MiB cap on unauthenticated endpoints and 50 MiB on authenticated ones over the decompressed body (commits 54a0dfe6c16b7687b0da6634e0b19ef0f5d9bb30 and 56d0d6915f7f25941dc5b4f484028646f6601a37; advisory GHSA-273h-gvwr-c3qj). If you cannot upgrade immediately and LAPI is exposed on the network, restrict access to trusted IP addresses only - via host firewall rules, the reverse proxy allow-list, or by rebinding LAPI back to the loopback interface where the architecture permits; the trade-off is that legitimate remote agents/bouncers on untrusted networks must be explicitly whitelisted or they lose connectivity. Where feasible, front LAPI with a proxy that caps request body size and rejects or limits gzip-encoded bodies as a stopgap. Default loopback-only installations require no urgent action but should still be updated during normal maintenance.

Share

CVE-2026-44981 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy