ZenML Denial-of-Service Vulnerability via Multipart Request Boundary Processing

A denial-of-service (DoS) vulnerability exists in ZenML version 0.66.0. The issue allows unauthenticated attackers to cause excessive resource consumption by sending malformed multipart requests with arbitrary characters appended to the end of the multipart boundaries. This flaw leads to an infinite loop in the request processing, causing a complete service outage for all users. The vulnerability affects the '/api/v1/login' and '/api/v1/device_authorization' endpoints.

Impact

Exploitation of this vulnerability leads to significant resource exhaustion, causing the server to become unresponsive. This results in a complete denial-of-service condition, where legitimate users are unable to interact with the service.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/api/v1/login' or '/api/v1/device_authorization' endpoint. The request must include a multipart form-data payload with excessive characters appended to the end of the boundary. This can be done using a Python script that automates the process, such as one that uses the 'requests' library to send the malformed multipart request.

Remediation

Users can update to ZenML version 0.68.0 or later, where this vulnerability has been fixed.