aiwaves-cn Agents Unauthenticated Denial-of-Service Vulnerability in Cheshire Cat Core

A denial-of-service vulnerability has been identified in aiwaves-cn agents versions prior to e8c4e3c2d19739d3dff59e577d1c97090cc15f59. The issue resides in the Cheshire Cat Core component, specifically within the 'recall_relevant_memories_to_working_memory' function of 'core/cat/looking_glass/stray_cat.py'. This vulnerability allows remote exploitation by causing excessive resource consumption. The problem arises because the application does not limit the size of incoming messages, enabling attackers to send overly large payloads that disrupt server operations.

Impact

Exploitation of this vulnerability leads to a complete denial-of-service condition, where the server crashes and terminates the process handling the request. This can cause significant application downtime, especially if the service is running in a containerized environment.

Reproduction

To reproduce this vulnerability, send a POST request to the '/message' endpoint with a JSON payload containing a text field. The text should be untruncated and can include up to 5,000,000 characters. The server will respond with a 500 error, indicating that a 'StackOverflow' error occurred, which causes the worker process to crash.