No password brute-force protection on login page in hay-kot/mealie


Reported on

Jul 28th 2022


The login page doesn't have any protection against a brute-force password attack, which allows an attacker to try every possible combination without any restriction.

Proof of Concept

  1. 1 - Send a login request of the target user
POST /api/auth/token HTTP/1.1
Host: localhost:9091
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLDx5Wjaf8w8QGFao

Content-Disposition: form-data; name="username"
Content-Disposition: form-data; name="password"

Content-Disposition: form-data; name="remember_me"

  1. 2 - Capture and replay the login request with a different password everytime bruteforce


An attacker could perform a brute-force attack targeting normal and administrative users, using different passwords and eventually gain access to the targeted account, without any restriction.

We are processing your report and will contact the hay-kot/mealie team within 24 hours. a year ago
We have contacted a member of the hay-kot/mealie team and are waiting to hear back a year ago
Hayden validated this vulnerability a year ago
vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the hay-kot/mealie team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the hay-kot/mealie team. We will try again in 10 days. a year ago
Hayden marked this as fixed in nightly with commit b3c41a a year ago
Hayden has been awarded the fix bounty
This vulnerability will not receive a CVE has been validated
to join this conversation