Home > Vulnerability Database > CVE-2024-10907

Mend.io Vulnerability Database

CVE-2024-10907

Date: March 20, 2025

In lm-sys/fastchat Release v0.2.36, the server fails to handle excessive characters appended to the end of multipart boundaries. This flaw can be exploited by sending malformed multipart requests with arbitrary characters at the end of the boundary. Each extra character is processed in an infinite loop, leading to excessive resource consumption and a complete denial of service (DoS) for all users. The vulnerability is unauthenticated, meaning no user login or interaction is required for an attacker to exploit this issue.

Severity Score

7.5

Related Resources (4)

Url: https://huntr.com/bounties/bf3ca81d-3508-4455-95d9-0b653e46d6e4

Url: https://github.com/lm-sys/FastChat

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-10907

Url: https://www.mend.io/vulnerability-database/CVE-2024-10907

Severity Score

7.5

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-10907

Date: March 20, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?