CVE-2024-58259
published 2025-09-02CVE-2024-58259: A vulnerability has been identified within Rancher Manager in which it did not enforce request body size limits on certain public (unauthenticated) and…
PriorityP348high8.2CVSS 3.1
AVNACLPRNUINSUCNILAH
EPSS
0.48%
37.9th percentile
A vulnerability has been identified within Rancher Manager in which it
did not enforce request body size limits on certain public
(unauthenticated) and authenticated API endpoints. This allows a
malicious user to exploit this by sending excessively large payloads,
which are fully loaded into memory during processing, leading to Denial of Service (DoS).
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | rancher_rancher | >= 0 < 0.0.0-20250813072957-aee95d4e2a41 | 0.0.0-20250813072957-aee95d4e2a41 |
| github.com | rancher_rancher | >= 2.10.0 < 2.10.9 | 2.10.9 |
| github.com | rancher_rancher | >= 2.11.0 < 2.11.5 | 2.11.5 |
| github.com | rancher_rancher | >= 2.12.0 < 2.12.1 | 2.12.1 |
| github.com | rancher_rancher | >= 2.9.0 < 2.9.11 | 2.9.11 |
| suse | rancher | < 0.0.0-20250813072957-aee95d4e2a41 | 0.0.0-20250813072957-aee95d4e2a41 |
| suse | rancher | >= 2.10.0 < 2.10.9 | 2.10.9 |
| suse | rancher | >= 2.11.0 < 2.11.5 | 2.11.5 |
| suse | rancher | >= 2.12.0 < 2.12.1 | 2.12.1 |
| suse | rancher | >= 2.9.0 < 2.9.11 | 2.9.11 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Rancher affected by unauthenticated Denial of Service in github.com/rancher/rancher
osv·2025-09-08
CVE-2024-58259 Rancher affected by unauthenticated Denial of Service in github.com/rancher/rancher
Rancher affected by unauthenticated Denial of Service in github.com/rancher/rancher
Rancher affected by unauthenticated Denial of Service in github.com/rancher/rancher.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/rancher/rancher from v2.9.0 before v2.9.11, from v2.10.0 before v2.10.9, from v2.11.0 before v2.11.5, from v2.12.0 before v2.12.1.
OSV
Rancher affected by unauthenticated Denial of Service
osv·2025-08-29
CVE-2024-58259 [HIGH] Rancher affected by unauthenticated Denial of Service
Rancher affected by unauthenticated Denial of Service
### Impact
A vulnerability has been identified within Rancher Manager in which it did not enforce request body size limits on certain public (unauthenticated) and authenticated API endpoints. This allows a malicious user to exploit this by sending excessively large payloads, which are fully loaded into memory during processing. This could result in:
- Denial of Service (DoS): The server process may crash or become unresponsive when memory consumption exceeds available resources.
- Unauthenticated and authenticated exploitation: While the issue was initially observed in unauthenticated `/v3-public/*` endpoints, the absence of request body size limits also affected several authenticated APIs, broadening the potential attack surface. It's
GHSA
Rancher affected by unauthenticated Denial of Service
ghsa·2025-08-29
CVE-2024-58259 [HIGH] CWE-770 Rancher affected by unauthenticated Denial of Service
Rancher affected by unauthenticated Denial of Service
### Impact
A vulnerability has been identified within Rancher Manager in which it did not enforce request body size limits on certain public (unauthenticated) and authenticated API endpoints. This allows a malicious user to exploit this by sending excessively large payloads, which are fully loaded into memory during processing. This could result in:
- Denial of Service (DoS): The server process may crash or become unresponsive when memory consumption exceeds available resources.
- Unauthenticated and authenticated exploitation: While the issue was initially observed in unauthenticated `/v3-public/*` endpoints, the absence of request body size limits also affected several authenticated APIs, broadening the potential attack surface. It's
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-02
Published