CVE-2024-10955

Summary

A Regular Expression Denial of Service (ReDoS) vulnerability exists in gaizhenbiao/chuanhuchatgpt, as of commit 20b2e02. The server uses the regex pattern r'<[^>]+>' to parse user input. In Python's default regex engine, this pattern can take polynomial time to match certain crafted inputs. An attacker can exploit this by uploading a malicious JSON payload, causing the server to consume 100% CPU for an extended period. This can lead to a Denial of Service (DoS) condition, potentially affecting the entire server.

Affected Software

VendorProductVersion RangeStatus
gaizhenbiaogaizhenbiao/chuanhuchatgptunspecified <= latestaffected

Weaknesses

  • CWE-1333: CWE-1333 Inefficient Regular Expression Complexity

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References