CVE-2024-9229 — Quivr unauthenticated Denial of Service (DoS) via Multipart Boundary

Description

A Denial of Service (DoS) vulnerability in the file upload feature of stangirard/quivr v0.0.298 allows unauthenticated attackers to cause excessive resource consumption by appending characters to the end of a multipart boundary in an HTTP request. This leads to the server continuously processing each character, rendering the service unavailable and impacting all users.

How to fix CVE-2024-9229

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2024-9229 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.0.14

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-9229
PATCHgithub.com/QuivrHQ/quivr
WEBgithub.com/QuivrHQ/quivr/blob/6b07a63e4e969d003710d6f6c6b9df36fd6ea803/backend/api/quivr_api/modules/upload/service/upload_file.py#L68-L101
WEBhuntr.com/bounties/946a412d-422f-4623-bb1d-d2646ad23dfd