automatic1111/stable-diffusion-webui Denial-of-Service Vulnerability via Multipart Boundary Manipulation

A denial-of-service vulnerability has been identified in automatic1111/stable-diffusion-webui version 1.10.0. The issue arises because the server does not properly manage excessive characters added to the end of multipart boundaries. This flaw can be exploited by sending malformed multipart requests with arbitrary characters, such as hyphens or spaces, at the end of the boundary. The exploitation of this vulnerability causes each additional character to be processed in an infinite loop, leading to excessive resource consumption and causing the server to become unresponsive for all users. This vulnerability is unauthenticated, allowing attackers to exploit it without any user login or interaction.

Impact

Exploitation of this vulnerability causes significant resource exhaustion, leading to a complete denial-of-service condition where the server becomes unresponsive to all users.

Reproduction

The vulnerability can be reproduced by sending a multipart request to the server with an excessive number of characters appended to the end of the multipart boundary. This can be done using a Python script that utilizes the requests library to send the malformed request. The script should specify the Content-Type header to indicate that the request is multipart/form-data and include a boundary that is deliberately crafted to allow for the addition of extra characters. Once the request is sent, the server's response can be checked to confirm the successful exploitation of the vulnerability.