rdiffweb's unlimited length email field can lead to DoS

GHSA-qrj3-hrgj-fm7r · CVE-2022-3272 · PYSEC-2022-291

Published Sep 27, 2022 · Modified May 21, 2025

Description

rdiffweb prior to 2.4.8 does not validate email length, allowing users to insert an email longer than 255 characters. If a user signs up with an email with a length of 1 million or more characters and logs in, withdraws, or changes their email, the server may cause denial of service due to overload. Version 2.4.8 sets length limits for username, email, and root directory.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-3272
WEB https://github.com/ikus060/rdiffweb/commit/667657c6fe2b336c90be37f37fb92f65df4feee3
PACKAGE https://github.com/ikus060/rdiffweb
WEB https://github.com/pypa/advisory-database/tree/main/vulns/rdiffweb/PYSEC-2022-291.yaml
WEB https://huntr.com/bounties/733678b9-daa1-4d6a-875a-382fa09a6e38

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes