CVE-2025-1451 — Allocation of Resources Without Limits or Throttling in Lollms-webui

CWE-770 — Allocation of Resources Without Limits or Throttling CWE-400 — Uncontrolled Resource Consumption2 documents2 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 51.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Parisneo Lollms-webui Lollms WEB UI

Timeline

PublishedMar 20

Description

A vulnerability in parisneo/lollms-webui v13 arises from the server's handling of multipart boundaries in file uploads. The server does not limit or validate the length of the boundary or the characters appended to it, allowing an attacker to craft requests with excessively long boundaries, leading to resource exhaustion and eventual denial of service (DoS). Despite an attempted patch in commit 483431bb, which blocked hyphen characters from being appended to the multipart boundary, the fix is in…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5parisneo/parisneo_lollms-webuiunspecified — latest

▶NVDlollms/lollms_web_ui13

🔴Vulnerability Details

GHSA

GHSA-r3hj-whx4-hvvj: A vulnerability in parisneo/lollms-webui v13 arises from the server's handling of multipart boundaries in file uploads↗2025-03-20

▶