CVE-2024-25978
📋 TL;DR
This vulnerability in Moodle's file picker unzip functionality allows attackers to cause denial of service by uploading specially crafted zip files that trigger excessive resource consumption. It affects Moodle installations with the vulnerable file picker component enabled.
💻 Affected Systems
- Moodle
📦 What is this software?
Fedora by Fedoraproject
Moodle by Moodle
Moodle by Moodle
Moodle by Moodle
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to resource exhaustion, potentially affecting all users of the Moodle instance.
Likely Case
Temporary service degradation or unavailability for users attempting to use the file picker functionality.
If Mitigated
Minimal impact with proper file size limits and monitoring in place.
🎯 Exploit Status
Exploitation requires file upload capability, which typically requires authentication in Moodle.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version containing MDL-74641 fix
Vendor Advisory: https://moodle.org/mod/forum/discuss.php?d=455634
Restart Required: No
Instructions:
1. Update Moodle to version containing MDL-74641 fix. 2. Apply the patch from Moodle git repository if manual patching is needed. 3. Clear Moodle caches after update.
🔧 Temporary Workarounds
Disable file picker unzip functionality
allTemporarily disable the vulnerable unzip feature in file picker
Edit Moodle configuration to disable file picker unzip or restrict file upload types
Implement file size limits
allAdd server-side file size validation before processing
Configure web server (Apache/Nginx) file upload limits and PHP upload_max_filesize/post_max_size
🧯 If You Can't Patch
- Implement strict file upload size limits at web server and application level
- Monitor server resources and implement rate limiting on file upload endpoints
🔍 How to Verify
Check if Vulnerable:
Check Moodle version and compare against patched versions in MDL-74641. Review if file picker unzip functionality is enabled.Check Version:
Check Moodle version in Site administration > Notifications or via moodle_version table in databaseVerify Fix Applied:
Verify Moodle version includes MDL-74641 fix. Test file upload with large zip files to confirm proper size validation.📡 Detection & Monitoring
Log Indicators:
- Multiple large file upload attempts
- High resource consumption (CPU/memory) spikes
- File picker/unzip related errors in logs
Network Indicators:
- Unusually large file uploads to Moodle endpoints
- Multiple upload attempts in short time
SIEM Query:
source="moodle_logs" AND (message="*unzip*" OR message="*file upload*" OR message="*resource exhaustion*")🔗 References
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74641
- https://bugzilla.redhat.com/show_bug.cgi?id=2264074
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/
- https://moodle.org/mod/forum/discuss.php?d=455634
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-74641
- https://bugzilla.redhat.com/show_bug.cgi?id=2264074
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXGBYJ43BUEBUAQZU3DT5I5A3YLF47CB/
- https://moodle.org/mod/forum/discuss.php?d=455634
