CVE-2024-8736 – This CSRF vulnerability in lollms-webui allows ... (How to Fix)

Q: What is the severity of CVE-2024-8736?

CVE-2024-8736 has a CVSS score of 6.5 (MEDIUM). This CSRF vulnerability in lollms-webui allows attackers to cause denial of service by exploiting file upload endpoints. Attackers can append extra characters to multipart boundaries, forcing the server to exhaust resources parsing each byte. All users running the vulnerable version are affected.

📋 TL;DR

This CSRF vulnerability in lollms-webui allows attackers to cause denial of service by exploiting file upload endpoints. Attackers can append extra characters to multipart boundaries, forcing the server to exhaust resources parsing each byte. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

parisneo/lollms-webui

Versions: V12 (Strawberry)

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability affects /upload_avatar, /upload_app, and /upload_logo endpoints specifically.

📦 What is this software?

Lollms Web Ui by Lollms

View all CVEs affecting Lollms Web Ui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability with server resource exhaustion, requiring manual intervention to restore functionality.

🟠

Likely Case

Temporary service degradation or downtime affecting file upload functionality and potentially other services on the same server.

🟢

If Mitigated

Minimal impact with proper CSRF protection and boundary validation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires CSRF but is straightforward once the attack vector is established.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check latest release after V12

Vendor Advisory: https://huntr.com/bounties/935dbc03-1b43-4dbb-b6cd-1aa95a789d4f

Restart Required: Yes

Instructions:

1. Check for updated version on GitHub. 2. Update to patched version. 3. Restart the lollms-webui service.

🔧 Temporary Workarounds

Disable vulnerable endpoints

all

Temporarily disable /upload_avatar, /upload_app, and /upload_logo endpoints

Modify application configuration to disable these routes

Implement strict boundary validation

all

Add server-side validation for multipart boundary length and format

Implement boundary length limits in file upload handlers

🧯 If You Can't Patch

Implement WAF rules to block requests with abnormal boundary lengths
Rate limit file upload endpoints to prevent resource exhaustion

🔍 How to Verify

Check if Vulnerable:

Check if running lollms-webui V12 and test file upload endpoints with malformed boundaries

Check Version:

Check lollms-webui version in application interface or configuration files

Verify Fix Applied:

Test that malformed boundary requests are rejected and no longer cause resource exhaustion

📡 Detection & Monitoring

Log Indicators:

Multiple failed file upload attempts with abnormal boundary lengths
High CPU/memory usage spikes during upload attempts

Network Indicators:

Repeated POST requests to /upload_* endpoints with unusual boundary parameters

SIEM Query:

source="web_server" AND (uri_path="/upload_avatar" OR uri_path="/upload_app" OR uri_path="/upload_logo") AND boundary_length>100

📊 Metadata

CVE ID: CVE-2024-8736

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-352

EPSS Score: 0.07% exploit probability (20.7th percentile)

Published: March 20, 2025

Last Updated: April 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8736, you might also want to check these: