Denial of Service in usememos/memos

Valid

Reported on

Dec 23rd 2022

Description

There is no limit of "Nickname" content length while updating your information that lead to Denial of Service by entering huge number of characters

if you insert the following POST request

{ "email": "test@test.testhe", "id": 104, "nickname": "teaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaateaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaastteaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaast", "username": "teste" }

It will be accepted

Impact

Denial of Service

We are processing your report and will contact the usememos/memos team within 24 hours. 17 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 16 days ago
STEVEN validated this vulnerability 16 days ago
Mohamed Abdelhady has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mohamed
16 days ago

Researcher

Can You assign it as CVE !

STEVEN marked this as fixed in 0.9.1 with commit f888c6 13 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 13 days ago
to join this conversation