Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.5, a critical Denial of Service (DoS) vulnerability was in the recipe import functionality. This vulnerability allows an authenticated user to crash the server or make a significantly degrade its performance by uploading a large size ZIP file (ZIP Bomb). This vulnerability is fixed in 2.6.5.
AnalysisAI
Tandoor Recipes versions prior to 2.6.5 suffer from a denial-of-service vulnerability in the recipe import functionality that allows authenticated users to crash the application server or severely degrade performance by uploading a specially crafted ZIP bomb file. The vulnerability affects recipe management and meal planning features accessible to authenticated users and has been patched in version 2.6.5.
Technical ContextAI
The vulnerability exists in Tandoor Recipes' recipe import mechanism, which processes user-supplied ZIP archives without adequate safeguards against decompression attacks. This is an instance of CWE-409 (Improper Handling of Highly Compressed Data), a well-known attack vector where a small compressed file expands to enormous size upon decompression, consuming server memory and CPU resources. The flaw occurs because the application fails to validate decompressed file sizes or implement resource limits during the ZIP extraction process, allowing a malicious actor to craft a ZIP bomb-a file designed to decompress to an enormous size-that causes the server to exhaust available system resources. Tandoor Recipes is a self-hosted recipe management application commonly deployed in Docker containers and on personal servers, making authenticated recipe import a typical user workflow.
RemediationAI
Vendor-released patch: upgrade to Tandoor Recipes version 2.6.5 or later, which includes fixes to the ZIP import handling that implement resource limits and decompression validation. Users should follow the official Tandoor Recipes upgrade documentation for their deployment method (Docker, bare metal, etc.). As a temporary mitigation prior to upgrade, restrict recipe import functionality to trusted accounts only or disable the import feature entirely via application settings if available. Check the security advisory at https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-w8pq-4pwf-r2m8 for specific patching instructions and version-specific deployment notes.
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Tandoor Recipes prior to 2.5.1 contains a blind server-side request forgery vulnerability in the Cookmate recipe import
Tandoor Recipes 2.0.0-alpha-1, fixed in 2.0.0-alpha-2, is vulnerable to privilege escalation. Rated medium severity (CVS
Recipes version 1.5.10 allows arbitrary HTTP requests to be made through the server. Rated medium severity (CVSS 6.5), t
In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side Request Forgery (SSRF), in the “Import Recipe” fu
Path traversal in Tandoor Recipes prior to 2.5.1 allows authenticated users with import permissions to read arbitrary fi
Privilege escalation in Tandoor Recipes prior to version 2.6.4 allows authenticated users with read-only shared access t
Authenticated users can modify and expose private recipes in Tandoor Recipes through broken object-level authorization i
In Recipes, versions 0.17.0 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in the ‘Name’ field of Ke
In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in copy to clipboard funct
In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functiona
Unauthenticated API input validation flaws in Tandoor Recipes (<2.6.4) enable cross-tenant data leakage and denial of se
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21549