Skip to main content

Summarize CLI CVE-2026-53781

| EUVDEUVD-2026-36307 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-11 VulnCheck GHSA-q9xm-f36c-xm3q
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-delivered attack requires victim to invoke CLI against malicious feed (UI:R); attacker needs no authentication; only local disk availability is impacted (A:L, S:U, C:N, I:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 11, 2026 - 20:21 vuln.today
Analysis Generated
Jun 11, 2026 - 20:21 vuln.today

DescriptionCVE.org

Summarize before 0.17.0 contains a resource exhaustion vulnerability that allows remote attackers to cause disk exhaustion by serving media responses that bypass the enforced size limit through missing or misreported Content-Length headers, chunked transfer encoding, or failed HEAD requests. Attackers who control a podcast feed or media URL can stream an unbounded response to local storage via the temp-file download path, exhausting disk or system resources on the host running the CLI.

AnalysisAI

Disk exhaustion in Summarize CLI (all versions before 0.17.0) allows remote attackers who control a podcast feed or media URL to cause denial of service by circumventing the tool's enforced media download size limit. The size cap can be bypassed through missing or misreported Content-Length headers, chunked transfer encoding, or deliberately failed HEAD requests, causing the CLI's temp-file download path to stream an unbounded response directly to local storage. No active exploitation has been confirmed (not listed in CISA KEV), no public proof-of-concept has been identified, and EPSS data is unavailable; however, the zero authentication requirement on the attacker side and low attack complexity make this a credible threat for users who process untrusted or third-party feeds.

Technical ContextAI

Summarize is an open-source CLI tool (CPE: cpe:2.3:a:steipete:summarize:*:*:*:*:*:*:*:*) designed for summarizing podcast and media content. The root cause maps to CWE-770 (Allocation of Resources Without Limits or Throttling): the CLI attempts to enforce a maximum size on media downloads, but the enforcement logic depends on HTTP-level signals - Content-Length headers and HEAD request pre-checks - that an attacker-controlled server can omit, falsify, or fail. HTTP chunked transfer encoding provides an additional bypass because chunk sizes are declared incrementally rather than upfront. Because no secondary, filesystem-level size guard caps the temp-file write path, the download loop can consume all available disk space. The vulnerability affects the CLI's core media fetch path and is triggered by processing any podcast feed or media URL whose origin the attacker controls.

RemediationAI

Upgrade Summarize CLI to version 0.17.0 or later; this is the vendor-released patch confirmed by the GitHub release tag, PR #237 (https://github.com/steipete/summarize/pull/237), and the fix commit at https://github.com/steipete/summarize/commit/14de194c24c5e0fba4bdb4a6f7766eb6ea3ed750. If immediate upgrade is not possible, restrict the CLI from processing untrusted or third-party podcast feeds and media URLs - this eliminates the attacker's control over the media origin but does not fix the underlying flaw and may break legitimate use cases involving external feeds. As an additional compensating control for automated pipeline deployments, apply OS-level disk quotas or cgroups storage limits on the process to cap the maximum disk any single invocation can consume; this limits blast radius but does not prevent the exhaustion attempt from triggering errors. No other workarounds are referenced in the available data.

Share

CVE-2026-53781 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy