CVE-2024-12063 – A Denial of Service vulnerability in imartinez/... (How to Fix)

Q: What is the severity of CVE-2024-12063?

CVE-2024-12063 has a CVSS score of 7.5 (HIGH). A Denial of Service vulnerability in imartinez/privategpt v0.6.2 allows attackers to crash the server by uploading files with excessively long filenames. This affects all users running the vulnerable version of PrivateGPT. The server becomes unavailable to legitimate users during the attack.

📋 TL;DR

A Denial of Service vulnerability in imartinez/privategpt v0.6.2 allows attackers to crash the server by uploading files with excessively long filenames. This affects all users running the vulnerable version of PrivateGPT. The server becomes unavailable to legitimate users during the attack.

💻 Affected Systems

Products:

imartinez/privategpt

Versions: v0.6.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using the vulnerable version are affected regardless of configuration.

📦 What is this software?

Privategpt by Pribai

View all CVEs affecting Privategpt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage making PrivateGPT unavailable to all users until the server is manually restarted.

🟠

Likely Case

Temporary service disruption affecting all users of the vulnerable instance.

🟢

If Mitigated

Minimal impact with proper input validation and rate limiting in place.

🌐 Internet-Facing: HIGH - Publicly accessible instances are directly vulnerable to unauthenticated DoS attacks.

🏢 Internal Only: MEDIUM - Internal attackers could still disrupt services but with more limited access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only sending a specially crafted HTTP request with a large filename parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.6.3 or later

Vendor Advisory: https://huntr.com/bounties/7db0091f-cb53-4cde-aad7-7ce491dfd8d9

Restart Required: Yes

Instructions:

1. Update PrivateGPT to version v0.6.3 or later. 2. Restart the PrivateGPT service. 3. Verify the fix by testing with normal file uploads.

🔧 Temporary Workarounds

Implement filename length validation

all

Add server-side validation to reject filenames exceeding a reasonable length (e.g., 255 characters).

Rate limit file upload endpoints

all

Implement rate limiting on the file upload endpoint to prevent rapid exploitation attempts.

🧯 If You Can't Patch

Deploy a web application firewall (WAF) with rules to block requests with excessively long filenames.
Place PrivateGPT behind a reverse proxy that filters and validates incoming requests before they reach the application.

🔍 How to Verify

Check if Vulnerable:

Check if running PrivateGPT version v0.6.2. Attempt to upload a file with a filename exceeding 1000 characters and monitor for service disruption.

Check Version:

Check the version in the PrivateGPT interface or deployment configuration files.

Verify Fix Applied:

After updating, attempt the same long filename upload test - the request should be rejected without service disruption.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with unusually long filenames in file upload logs
Server error logs showing crashes or timeouts during file uploads

Network Indicators:

Spike in HTTP POST requests to file upload endpoint
Unusually large Content-Disposition headers

SIEM Query:

source="privategpt" AND (filename_length>1000 OR http_request_size>10000)

📊 Metadata

CVE ID: CVE-2024-12063

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.26% exploit probability (49th percentile)

Published: March 20, 2025

Last Updated: July 17, 2025

🔗 References

https://huntr.com/bounties/7db0091f-cb53-4cde-aad7-7ce491dfd8d9 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12063, you might also want to check these: