Volerion logoVolerion
Volerion logoVolerion

Danswer Denial-of-Service Vulnerability via Memory Exhaustion

Vulnerability

A denial-of-service vulnerability has been identified in Danswer version 0.9.0. This issue stems from memory exhaustion caused by a vulnerable version of the Starlette package, through FastAPI, which was patched in FastAPI version 0.115.3. The vulnerability can be exploited by sending multiple requests to the /auth/saml/callback endpoint, leading to uncontrolled memory consumption and eventual denial of service.

Impact

Exploitation of this vulnerability causes denial-of-service conditions by exhausting available memory, which can lead to application crashes or unresponsiveness.

Reproduction

To reproduce this vulnerability, first run the Danswer project and set the AUTH_TYPE environment variable to 'saml' to enable the target endpoint. Then, send multiple parallel requests to the /auth/saml/callback endpoint with form data that triggers memory consumption, such as large payloads or random data.

Remediation

To address this vulnerability, update Danswer to a version that uses FastAPI 0.115.3 or later.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
7.6
impact
2.5
exploitability
9.7
remediation
7.7
relevance
0.0
threat
6.4
urgency
2.9
incentive
10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.