Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (CIRCL) · only source for this CVE.
CVSS VectorVendor: CIRCL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
The CSP report endpoint intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding.
AnalysisAI
MISP's CSP report endpoint in versions 2.5.0 through 2.5.37 accepts payloads up to 1 MB per report instead of the developer-intended 1 KB limit, due to a 1,024x magnitude error in the truncation guard (1024 * 1024 instead of 1024). On deployments where the endpoint is reachable by untrusted clients, unauthenticated remote parties (per CVSS PR:N) can abuse this discrepancy to flood application logs with oversized reports, contributing to disk exhaustion or log integrity degradation. No public exploit code exists and active exploitation has not been confirmed; the CVSS 4.0 score of 5.1 (Low-Medium) reflects the limited, availability-only impact.
Technical ContextAI
MISP (Malware Information Sharing Platform) is an open-source threat intelligence sharing platform written in PHP using the CakePHP framework. The vulnerable code resides in app/Controller/ServersController.php within the cspReport() method, which receives Content Security Policy violation reports from browsers. CWE-400 (Uncontrolled Resource Consumption) describes the root cause: the truncation condition used strlen($report) > 1024 * 1024 (evaluating to 1,048,576 bytes / 1 MB) while the inline comment correctly stated the intent was to limit reports to 1 KB (1024 bytes). This 1,024x discrepancy means each logged CSP report could consume up to 1 MB of log space rather than the intended 1 KB. The affected CPE is cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:* covering the version range 2.5.0 through 2.5.37.
RemediationAI
The upstream fix is available via GitHub commit 02932cccab230b295afcaf5aa05e363d30db0ec9, which corrects the truncation guard from strlen($report) > 1024 * 1024 to strlen($report) > 1024. This fix was reported as 'patch available from vendor' per the source intelligence, but a specific tagged release version incorporating this commit has not been independently confirmed from the available data - operators should verify against the MISP release changelog or ENISA EUVD-2026-31155. As a compensating control where patching is not immediately possible, network-level access controls should be applied to restrict who can POST to the /servers/cspReport endpoint, limiting it to known browser clients or internal networks only - this directly addresses the 'reachable by untrusted clients' prerequisite. Additionally, log rotation policies with size caps can reduce the blast radius of log flooding. Monitoring for unusually large POST bodies to this endpoint can serve as a detection signal.
An issue was discovered in MISP 2.4.9x before 2.4.99. Rated high severity (CVSS 8.8), this vulnerability is remotely exp
An issue was discovered in MISP before 2.4.158. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo
app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_de
SQL injection in MISP threat intelligence platform versions prior to 2.5.37 allows remote unauthenticated attackers to m
An issue was discovered in MISP before 2.4.158. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitab
MISP 2.4.172 mishandles different certificate file extensions in server sync. Rated high severity (CVSS 7.5), this vulne
In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishandles parameter data that is used in a shell_exec call. R
An issue was discovered in app/Controller/UsersController.php in MISP 2.4.92. Rated critical severity (CVSS 9.8), this v
An issue was discovered in MISP 2.4.128. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
MISP before 2.4.135 lacks an ACL check, related to app/Controller/GalaxyElementsController.php and app/Model/GalaxyEleme
app/View/Elements/genericElements/IndexTable/Fields/generic_field.ctp in MISP 2.4.144 does not sanitize certain data rel
MISP 2.4.148, in certain configurations, allows SQL injection via the app/Model/Log.php $conditions['org'] value. Rated
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31155
GHSA-gfvj-j222-m85v