No limit in email length may result in a possible DOS attack in ikus060/rdiffweb


Reported on

Sep 22nd 2022


As per RFC the maximum length allowed for an email address is 255 characters. However, rdiffweb don't validate email length, so you can add email addresses that exceed 255 characters. Through this, if you sign up for an email with a length of 1 million or more and log in, withdraw, or change your email, the server may cause DOS due to overload.

Proof of Concept

  1. Go to
  2. You can now change the email associated with your account from this endpoint
  3. Set a very long email that exceeds 1000 characters
  4. You will see that the long email is readily accepted and there is no fixed length for this user input parameter

Mitigation: The email parameter must have a specific user input length


An attacker can store a large email address as per his requirement which will possibly lead to a DOS attack / Buffer Overflow


We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago
Patrik Dufresne assigned a CVE to this report a year ago
Patrik Dufresne validated this vulnerability a year ago
Nehal Pillai has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the ikus060/rdiffweb team. We will try again in 7 days. a year ago
Patrik Dufresne marked this as fixed in 2.4.8 with commit 667657 a year ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability will not receive a CVE has been validated
to join this conversation