stangirard/quivr Denial-of-Service Vulnerability in File Upload Feature

A denial-of-service vulnerability has been identified in the file upload feature of stangirard/quivr version 0.0.298. This vulnerability allows unauthenticated attackers to cause excessive resource consumption by appending characters to the end of a multipart boundary in an HTTP request. The server processes each character individually, leading to resource exhaustion and making the service unavailable for all users.

Impact

Exploitation of this vulnerability causes severe server overload as it processes a massive number of appended characters, leading to significant performance degradation. This resource exhaustion can disrupt normal service operations, causing prolonged unresponsiveness and rendering the application unusable for legitimate users, despite the user interface appearing functional.

Reproduction

To reproduce this vulnerability, send a POST request to the '/upload' endpoint with a 'Content-Type' header indicating 'multipart/form-data' and a boundary that includes a large number of dashes. The request should include a file upload that is then appended with additional characters, such as dashes, to the multipart boundary. This can be automated with a script that adjusts the number of appended characters to achieve the desired level of resource consumption.