Server side request forgery lead to denial of service in hay-kot/mealie

Valid

Reported on

May 29th 2022

Description

In this case if a attacker try to load a huge file then server will try to load the file and eventually server use its all memory which will dos the server

Proof of Concept

1.Goto https://demo.mealie.io/recipe/create/url?recipe_import_url=https%3A%2F%2Fspeed.hetzner.de%2F10GB.bin&import_keywords_as_tags=1

2.Send this request 4-5 times.

3.It will try to load file and dos the server.

#POC :-

https://youtu.be/qXAH_8SypTA

Impact

Deniel of service

We are processing your report and will contact the hay-kot/mealie team within 24 hours. a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

We have contacted a member of the hay-kot/mealie team and are waiting to hear back a year ago

We have sent a follow up to the hay-kot/mealie team. We will try again in 7 days. a year ago

We have sent a second follow up to the hay-kot/mealie team. We will try again in 10 days. a year ago

We have sent a third and final follow up to the hay-kot/mealie team. This report is now considered stale. a year ago

Hayden validated this vulnerability a year ago

Distorted_Hacker has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

We have sent a fix follow up to the hay-kot/mealie team. We will try again in 7 days. a year ago

We have sent a second fix follow up to the hay-kot/mealie team. We will try again in 10 days. a year ago

We have sent a third and final fix follow up to the hay-kot/mealie team. This report is now considered stale. 10 months ago

Hayden marked this as fixed in v1.0.0beta-4 with commit 13850c 10 months ago

Hayden has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation