imartinez PrivateGPT Denial-of-Service Vulnerability in File Upload Feature

A denial-of-service vulnerability has been identified in imartinez PrivateGPT version 0.6.2. This issue arises from the file upload feature, which improperly manages form-data containing large filenames. An attacker can exploit this vulnerability by sending a file upload request with an excessively large filename, causing the server to become overwhelmed and unavailable to legitimate users.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the server to become unresponsive and unavailable for legitimate users. This disruption can be particularly problematic as the vulnerability can be exploited by anyone with access to the upload endpoint, without the need for authentication.

Reproduction

The vulnerability can be reproduced by sending a POST request to the file upload endpoint with a multipart form-data payload that includes a filename excessively large. This can be done using a script that automates the process, such as one written in Python that uses the requests library to send the payload.