Skip to main content

Open Source Social Network EUVDEUVD-2026-25384

| CVE-2026-41309 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-24 GitHub_M
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

7
Patch released
Apr 29, 2026 - 20:56 nvd
Patch available
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Patch available
Apr 24, 2026 - 05:31 EUVD
Analysis Generated
Apr 24, 2026 - 03:31 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 03:00 euvd
EUVD-2026-25384
Analysis Generated
Apr 24, 2026 - 03:00 vuln.today
CVE Published
Apr 24, 2026 - 02:31 nvd
HIGH 8.2

DescriptionGitHub Advisory

Open Source Social Network (OSSN) is open-source social networking software developed in PHP. Versions prior to 9.0 are vulnerable to resource exhaustion. An attacker can upload a specially crafted image with extreme pixel dimensions (e.g., $10000 \times 10000$ pixels). While the compressed file size on disk may be small, the server attempts to allocate significant memory and CPU cycles during the decompression and resizing process, leading to a Denial of Service (DoS) condition. It is highly recommended to upgrade to OSSN 9.0. This version introduces stricter validation of image dimensions and improved resource management during the processing phase. Those who cannot upgrade immediately can mitigate the risk by adjusting their php.ini settings to strictly limit memory_limit and max_execution_time and/or implementing a client-side and server-side check on image headers to reject files exceeding reasonable pixel dimensions (e.g., $4000 \times 4000$ pixels) before processing begins.

AnalysisAI

Resource exhaustion in Open Source Social Network (OSSN) versions prior to 9.0 allows remote unauthenticated attackers to trigger Denial of Service by uploading specially crafted images with extreme pixel dimensions (e.g., 10000×10000). While the compressed file size appears small, server-side decompression and resizing allocates excessive memory and CPU, crashing or degrading service. EPSS exploitation probability data not available, but the attack vector is straightforward (AV:N/AC:L/PR:N) with publicly documented technical details and fix commit available on GitHub. CVSS 8.2 reflects the easy remote exploitation path despite limited confidentiality impact.

Technical ContextAI

This vulnerability exploits CWE-770 (Allocation of Resources Without Limits or Throttling) in OSSN's image processing pipeline. When users upload profile pictures or other image content, OSSN uses PHP's GD library or ImageMagick to decompress and resize images. Compressed image formats like PNG or JPEG can store extreme pixel dimensions in file headers while maintaining small file sizes through compression. During server-side processing, the application allocates memory proportional to width × height × color_depth to build the uncompressed bitmap in memory. A 10000×10000 pixel image requires approximately 400MB of RAM for a 32-bit RGBA bitmap, easily exhausting PHP's default memory_limit. The affected CPE indicates all versions of opensource-socialnetwork prior to the 9.0 release are vulnerable, as they lack dimension validation before resource allocation.

RemediationAI

Upgrade to OSSN 9.0 immediately, which introduces strict image dimension validation and improved resource management during processing. The fix is implemented in commit 12357113b3be189da7f6e429979a464e4f982117 available at https://github.com/opensource-socialnetwork/opensource-socialnetwork/commit/12357113b3be189da7f6e429979a464e4f982117. For environments unable to upgrade immediately, implement layered mitigations: (1) Edit php.ini to set memory_limit to 256M or lower and max_execution_time to 30 seconds, which limits blast radius but may break legitimate large image uploads; (2) Add server-side validation rejecting images exceeding 4000×4000 pixels by parsing image headers with getimagesize() before GD/ImageMagick processing, avoiding resource allocation entirely; (3) Implement upload rate limiting (e.g., 5 uploads per user per hour) to prevent automated DoS campaigns. Note that php.ini limits alone may still allow degradation if multiple concurrent malicious uploads occur, so dimension validation is the most effective compensating control. Client-side validation provides UX improvement but is bypassable and should not be relied upon for security.

Share

EUVD-2026-25384 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy