CVE-2024-10907 – This vulnerability in lm-sys/fastchat v0.2.36 a... (How to Fix)

📋 TL;DR

This vulnerability in lm-sys/fastchat v0.2.36 allows unauthenticated attackers to cause denial of service by sending malformed multipart requests with excessive characters in boundary fields. The server processes each extra character in an infinite loop, consuming excessive resources and making the service unavailable to all users. Anyone running the vulnerable version is affected.

💻 Affected Systems

Products:

lm-sys/fastchat

Versions: v0.2.36

Operating Systems: All platforms running fastchat

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using the vulnerable version are affected regardless of configuration.

📦 What is this software?

Fastchat by Lm Sys

View all CVEs affecting Fastchat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage with resource exhaustion leading to server crashes or unavailability for all users.

🟠

Likely Case

Service degradation or temporary unavailability due to resource exhaustion from DoS attacks.

🟢

If Mitigated

Minimal impact with proper rate limiting, input validation, and updated software.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation makes internet-facing instances prime targets for DoS attacks.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit, but attack surface is smaller than internet-facing.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted HTTP requests but doesn't require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.2.37 or later

Vendor Advisory: https://huntr.com/bounties/bf3ca81d-3508-4455-95d9-0b653e46d6e4

Restart Required: Yes

Instructions:

1. Update fastchat to v0.2.37 or later using pip: pip install --upgrade fschat>=0.2.37
2. Restart the fastchat server
3. Verify the update with: pip show fschat

🔧 Temporary Workarounds

Rate Limiting

all

Implement request rate limiting to prevent excessive malformed requests from overwhelming the server.

Web Application Firewall

all

Deploy WAF rules to block requests with malformed multipart boundaries.

🧯 If You Can't Patch

Implement strict input validation for multipart boundaries at the application or proxy layer
Isolate the vulnerable service behind reverse proxies with request filtering capabilities

🔍 How to Verify

Check if Vulnerable:

Check if running fastchat v0.2.36: pip show fschat | grep Version

Check Version:

pip show fschat | grep Version

Verify Fix Applied:

Confirm version is v0.2.37 or later: pip show fschat | grep Version

📡 Detection & Monitoring

Log Indicators:

High CPU/memory usage spikes
Multiple requests with malformed multipart boundaries
Server restart logs

Network Indicators:

Unusually high number of POST requests to multipart endpoints
Requests with abnormally long boundary parameters

SIEM Query:

source="fastchat" AND (cpu_usage>90 OR memory_usage>90) OR http_request contains "boundary=" AND length(http_request) > 1000

📊 Metadata

CVE ID: CVE-2024-10907

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

EPSS Score: 0.1% exploit probability (26.7th percentile)

Published: March 20, 2025

Last Updated: October 15, 2025

🔗 References

https://huntr.com/bounties/bf3ca81d-3508-4455-95d9-0b653e46d6e4 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10907, you might also want to check these: