CVE-2024-8028
📋 TL;DR
A vulnerability in Danswer AI v0.3.94 allows attackers to cause Denial of Service (DoS) by uploading files with malformed multipart boundaries containing excessive trailing characters. This causes the server to continuously process each character, rendering the application inaccessible to all users. All instances running the vulnerable version are affected.
💻 Affected Systems
- danswer-ai/danswer
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete application unavailability affecting all users, requiring server restart to recover service.
Likely Case
Temporary service disruption affecting all users until the malicious request is processed or the server is restarted.
If Mitigated
No impact if patched or proper input validation is implemented.
🎯 Exploit Status
Exploitation requires crafting a specific HTTP request with malformed multipart boundary, which is relatively straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.3.95 or later
Vendor Advisory: https://huntr.com/bounties/55530ecb-0ac2-4dc1-9527-bf24de594a57
Restart Required: Yes
Instructions:
1. Update Danswer to v0.3.95 or later. 2. Restart the Danswer service. 3. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation at Proxy/WAF
allImplement request filtering to reject multipart requests with unusually long boundary parameters.
Rate Limiting
allImplement rate limiting on file upload endpoints to limit impact of repeated attacks.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests with malformed multipart boundaries
- Monitor for unusual upload patterns and implement automated blocking of suspicious source IPs
🔍 How to Verify
Check if Vulnerable:
Check if running Danswer v0.3.94 by examining version in application interface or deployment configuration.Check Version:
Check Danswer web interface or deployment configuration for version information.Verify Fix Applied:
Confirm version is v0.3.95 or later and test file upload functionality with normal requests.📡 Detection & Monitoring
Log Indicators:
- Unusually long multipart boundary parameters in HTTP logs
- Multiple failed file upload attempts from single source
- Increased CPU/memory usage on server
Network Indicators:
- HTTP POST requests to upload endpoints with abnormally large Content-Length headers
- Repeated upload attempts from same IP
SIEM Query:
source="web_server_logs" AND (uri_path="/upload" OR uri_path="/api/upload") AND content_length>1000000