CVE-2024-9056

BentoML version v1.3.4post1 is vulnerable to a Denial of Service (DoS) attack. The vulnerability can be exploited by appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request. This causes the server to continuously process each character, leading to excessive resource consumption and rendering the service unavailable. The issue is unauthenticated and does not require any user interaction, impacting all users of the service.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/a24a13c2-0300-4a95-b26a-ac7fe8f6521b

Configurations

No configuration.

History

15 Oct 2025, 13:15

Type	Values Removed	Values Added
CWE	~~CWE-400~~	CWE-770
Summary		(es) La versión v1.3.4post1 de BentoML es vulnerable a un ataque de denegación de servicio (DoS). Esta vulnerabilidad se puede explotar añadiendo caracteres, como guiones (-), al final de un límite multiparte en una solicitud HTTP. Esto provoca que el servidor procese continuamente cada carácter, lo que genera un consumo excesivo de recursos y deja el servicio indisponible. El problema no requiere autenticación y no requiere la interacción del usuario, lo que afecta a todos los usuarios del servicio.

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-10-15 13:15

NVD link : CVE-2024-9056

Mitre link : CVE-2024-9056

CVE.ORG link : CVE-2024-9056

JSON object : View

Products Affected

No product.

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

7.5 /10