Login Sign Up

CVE-2021-3649

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2021-3649 is a regular expression denial of service (ReDoS) vulnerability in Chatwoot's URL validation logic. Attackers can cause CPU exhaustion and service degradation by sending specially crafted URLs. All Chatwoot instances using vulnerable versions are affected.

💻 Affected Systems

Products:
  • Chatwoot
Versions: Versions before commit aa7db90cd2d23dbcf22a94f1e4c100dd909e2172
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All Chatwoot deployments using default configuration are vulnerable.

📦 What is this software?

Chatwoot by Chatwoot

View all CVEs affecting Chatwoot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, potentially affecting all Chatwoot functionality and dependent services.

🟠

Likely Case

Degraded performance and intermittent service disruptions affecting chat functionality and user experience.

🟢

If Mitigated

Minimal impact with proper rate limiting and resource monitoring in place.

🌐 Internet-Facing: HIGH - Publicly accessible Chatwoot instances are directly vulnerable to unauthenticated attacks.
🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending malicious URLs to vulnerable endpoints, which is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit aa7db90cd2d23dbcf22a94f1e4c100dd909e2172 and later

Vendor Advisory: https://github.com/chatwoot/chatwoot/commit/aa7db90cd2d23dbcf22a94f1e4c100dd909e2172

Restart Required: Yes

Instructions:

1. Update Chatwoot to latest version or apply commit aa7db90cd2d23dbcf22a94f1e4c100dd909e2172. 2. Restart Chatwoot services. 3. Verify the fix is applied.

🔧 Temporary Workarounds

Rate Limiting

all

Implement rate limiting on URL validation endpoints to reduce impact of ReDoS attacks.

# Configure rate limiting in your web server or application firewall

Input Validation

all

Add additional input validation to reject suspicious URL patterns before regex processing.

# Implement pre-validation in application code

🧯 If You Can't Patch

  • Implement strict rate limiting on all URL processing endpoints
  • Deploy WAF rules to block malicious URL patterns and monitor for ReDoS attempts

🔍 How to Verify

Check if Vulnerable:

Check if Chatwoot version is before commit aa7db90cd2d23dbcf22a94f1e4c100dd909e2172 by examining the git commit history or version metadata.

Check Version:

git log --oneline -1

Verify Fix Applied:

Verify the commit aa7db90cd2d23dbcf22a94f1e4c100dd909e2172 is present in your Chatwoot installation.

📡 Detection & Monitoring

Log Indicators:

  • High CPU usage spikes
  • Slow response times on URL validation endpoints
  • Repeated requests with complex URL patterns

Network Indicators:

  • Unusual volume of requests to URL validation endpoints
  • Requests containing specially crafted URLs with repeating patterns

SIEM Query:

source="chatwoot" AND (cpu_usage>90 OR response_time>5000ms) AND uri="*validate*"

📊 Metadata

CVE ID: CVE-2021-3649
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
Published: July 16, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3649, you might also want to check these:

CVE-2023-29487 9.1

This CVE describes a denial-of-service vulnerability in Heimdal Thor agent's Threat To Process Corre...

Same vulnerability type (CWE-1333)
CVE-2025-62484 8.1

A regular expression complexity vulnerability in Zoom Workplace Clients allows unauthenticated attac...

Same vulnerability type (CWE-1333)
CVE-2024-4148 7.5

A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary version 1.2.10 allo...

Same vulnerability type (CWE-1333)