Classic Buffer Overflow in chatwoot/chatwoot

Valid

Reported on

Jun 3rd 2021


You can put a very long work email text until you get the last user to put and aries or [DoS].

Normally emails have 64 to 225 digits.

Summary There is no limit to the number of characters in the work email, which allows a DoS attack. The DoS attack affects both server-side and client-side.

NOTE: This bug happens on https://app.chatwoot.com/app/auth/signup

By sending a very long text (1.000.000 characters) When a long email is sent, the email process will result in CPU and memory exhaustion.

Remediation: The note implementation must be fixed to limit the maximum length of accepted characters.

Step to reproduce:

  1. Signup app.chatwoot.com/app/auth/signup
  2. Put your long payload in a work email

Impact: it's possible to cause a denial of service attack on the server. This may lead to the website becoming unavailable or unresponsive.

Verify it and set a fair reward for reporting security vulnerability in a responsible manner.

Sojan Jose validated this vulnerability a year ago
Owais Siddiqui has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sojan Jose confirmed that a fix has been merged on 60a070 a month ago
The fix bounty has been dropped
to join this conversation