The NocoDB application allows large characters to insert in the input field "New Project" on the create field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request in nocodb/nocodb
Jun 16th 2022
Proof of Concept
Go to http://localhost:8080/dashboard/#/projects Click on New project and create Fill the "Enter project name" field with huge characters, (more than 1 lakh) Copy the below payload and put it in the input fields and click on continue. You will see the application accepts large characters and if we will increase the characters then it can lead to Dos.
Download the payload from here:
Video & Image POC:
The Project name input should be limited to 50 characters or a max of 100 characters.
It can lead to a denial of service attack