CVE-2025-1451 – This vulnerability in parisneo/lollms-webui all... (How to Fix)

Q: What is the severity of CVE-2025-1451?

CVE-2025-1451 has a CVSS score of 7.5 (HIGH). This vulnerability in parisneo/lollms-webui allows attackers to cause denial of service by sending specially crafted file upload requests with excessively long multipart boundaries. The server fails to validate boundary length and character composition, leading to resource exhaustion. All users running vulnerable versions of lollms-webui are affected.

📋 TL;DR

This vulnerability in parisneo/lollms-webui allows attackers to cause denial of service by sending specially crafted file upload requests with excessively long multipart boundaries. The server fails to validate boundary length and character composition, leading to resource exhaustion. All users running vulnerable versions of lollms-webui are affected.

💻 Affected Systems

Products:

parisneo/lollms-webui

Versions: v13 and earlier versions with the incomplete patch from commit 483431bb

Operating Systems: All platforms running lollms-webui

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration when file upload functionality is enabled.

📦 What is this software?

Lollms Web Ui by Lollms

View all CVEs affecting Lollms Web Ui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion, potentially requiring server restart and causing extended downtime.

🟠

Likely Case

Temporary service degradation or unavailability during attack, with potential for repeated exploitation.

🟢

If Mitigated

Minimal impact with proper rate limiting and boundary validation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires crafting specific HTTP requests but doesn't require authentication to the web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after commit that properly fixes boundary validation

Vendor Advisory: https://huntr.com/bounties/63f5aea4-953b-4b38-9f10-3afe425be1d4

Restart Required: No

Instructions:

1. Update to the latest version of lollms-webui. 2. Verify the patch includes proper boundary length validation and character restrictions. 3. Restart the webui service if needed.

🔧 Temporary Workarounds

Implement request size limits

all

Configure web server or reverse proxy to limit maximum request size

nginx: client_max_body_size 10M;
apache: LimitRequestBody 10485760

Disable file uploads

all

Temporarily disable file upload functionality if not required

Modify lollms-webui configuration to disable upload endpoints

🧯 If You Can't Patch

Implement rate limiting on upload endpoints
Use WAF with request size validation rules

🔍 How to Verify

Check if Vulnerable:

Check if running lollms-webui v13 or earlier with the incomplete patch from commit 483431bb

Check Version:

Check lollms-webui version in web interface or configuration files

Verify Fix Applied:

Verify the server properly validates multipart boundary length and rejects requests with boundaries longer than reasonable limits

📡 Detection & Monitoring

Log Indicators:

Unusually large HTTP requests
Multiple failed upload attempts
High memory/CPU usage spikes

Network Indicators:

HTTP POST requests with extremely long Content-Type headers
Abnormally large request payloads to upload endpoints

SIEM Query:

source="web_server_logs" AND (request_size>10000000 OR uri_path="/upload" AND status_code=413)

📊 Metadata

CVE ID: CVE-2025-1451

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.25% exploit probability (47.8th percentile)

Published: March 20, 2025

Last Updated: October 15, 2025

🔗 References

https://huntr.com/bounties/63f5aea4-953b-4b38-9f10-3afe425be1d4 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1451, you might also want to check these: