File Browser Denial-of-Service Vulnerability via Uncontrolled Memory Consumption in File Processing

A denial-of-service vulnerability has been identified in File Browser version 2.38.0. The issue arises in the file processing logic when reading files through the endpoint '/api/resources/{file-name}'. The server loads the entire content of uploaded files into memory during read operations, without any size checks or resource limits. This flaw allows an authenticated user to upload large files, causing excessive memory usage that can crash the server or make it unresponsive.

Impact

Exploitation of this vulnerability leads to uncontrolled memory consumption, causing the server to crash or become unresponsive.

Reproduction

The vulnerability can be reproduced by uploading a large file, approximately 1.5 GB in size, through the '/api/resources/{file-name}' endpoint using a 'PUT' request. After the file is uploaded, attempting to read it through the File Browser interface will cause the server to hang and consume resources until the file is fully loaded, which takes a considerable amount of time.