Denial of Service in chatwoot/chatwoot


Reported on

Dec 6th 2021

The extract_reply function ( is highly inefficient on HTML emails. A legitimate LinkedIn email has 20kb of HTML content which takes a minute or two to process through that function, and on the SaaS site caused undefined behavior such as these emails being delivered with a long delay or multiple times (probably as a result of the Sidekiq worker crashing). An attacker would be able to exploit this to clog up all the workers on the SaaS platform and degrade queue-dependent functionality for everyone.

As a solution tweaking the regexes would work but I suggest scrapping the "homemade" approach and instead using the 'html2text' gem to convert to text and then running the text through the 'email_reply_parser' gem (used by GitHub themselves) to extract the reply out of the text content. I have implemented this solution on my local version and the problem goes away.

I can provide the specific payload that triggered the bug but honestly this does not require any malicious activity, a legitimate LinkedIn notification email triggered it so I'm pretty sure you can just take any random HTML page in the 10kb range as a test.


We are processing your report and will contact the chatwoot team within 24 hours. 2 years ago
Andre Borie
2 years ago


Note that this does not require any authentication as this code is used for parsing incoming emails.

We have contacted a member of the chatwoot team and are waiting to hear back 2 years ago
Sojan Jose
2 years ago


Hey andre, Thanks for reporting. We will take a look and get back to you

Tejaswini Chile validated this vulnerability 2 years ago
Andre Borie has been awarded the disclosure bounty
The fix bounty is now up for grabs
Tejaswini Chile marked this as fixed in with commit 44486f a year ago
Tejaswini Chile has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation