The NocoDB application allows large characters to insert in the input field "New Project" on the create field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in nocodb/nocodb


Reported on

Jun 16th 2022

Proof of Concept

Go to http://localhost:8080/dashboard/#/projects Click on New project and create Fill the "Enter project name" field with huge characters, (more than 1 lakh) Copy the below payload and put it in the input fields and click on continue. You will see the application accepts large characters and if we will increase the characters then it can lead to Dos.

Download the payload from here:

Video & Image POC:

Patch recommendation:

The Project name input should be limited to 50 characters or a max of 100 characters.


It can lead to a denial of service attack

We are processing your report and will contact the nocodb team within 24 hours. 2 months ago
Arjun E modified the report
2 months ago
We have contacted a member of the nocodb team and are waiting to hear back 2 months ago
nocodb/nocodb maintainer
2 months ago


Handled in below PR image.

docker run -d -p 8888:8080 nocodb/nocodb-timely:0.91.10-pr-2416-20220617-1132

Expected to be available in the next release.

navi gave praise a month ago
Thank you for the report - we are looking debugging the issue
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
We have sent a follow up to the nocodb team. We will try again in 7 days. a month ago
nocodb/nocodb maintainer has acknowledged this report a month ago
Arjun E
a month ago


Any updates?

nocodb/nocodb maintainer validated this vulnerability a month ago
Arjun E has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
nocodb/nocodb maintainer confirmed that a fix has been merged on 000ecd a month ago
The fix bounty has been dropped
Arjun E
a month ago


@admin am I eligible to assign a CVE?

Jamie Slome
a month ago


We are happy to assign and publish a CVE if the maintainer is happy to do so as well.

@maintainer - are you happy with a CVE for this report?

Arjun E
6 days ago


@maintainer - Any updates from your side ?

to join this conversation