CVE-2024-8028 in danswer
Summary
by MITRE • 03/20/2025
A vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to cause a Denial of Service (DoS) by uploading a file with a malformed multipart boundary. By appending a large number of characters to the end of the multipart boundary, the server continuously processes each character, rendering the application inaccessible. This issue can be exploited by sending a single crafted request, affecting all users on the server.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/16/2025
The vulnerability identified as CVE-2024-8028 represents a critical denial of service weakness within the danswer-ai/danswer application version 0.3.94. This flaw resides in the application's handling of multipart file uploads, specifically when processing boundary delimiters that define the separation between different parts of a multipart message. The vulnerability stems from insufficient input validation and processing logic that fails to properly sanitize or limit the length of multipart boundary identifiers, creating a scenario where malicious input can trigger excessive computational overhead.
The technical exploitation of this vulnerability occurs through the manipulation of multipart boundary definitions in file upload requests. When an attacker crafts a request with an excessively long boundary string by appending numerous characters to the boundary delimiter, the application's parsing logic becomes trapped in a continuous processing loop. Each character in the malformed boundary triggers a separate processing step within the server's multipart parsing mechanism, causing the system to consume disproportionate CPU resources and memory. This processing behavior effectively creates a resource exhaustion condition that prevents legitimate users from accessing the application services.
The operational impact of CVE-2024-8028 extends beyond simple service disruption to encompass complete application unavailability for all connected users. Since the vulnerability can be triggered through a single malicious request, an attacker requires minimal effort to render the entire system inoperable. The continuous processing nature of the flaw means that the denial of service persists until the application is manually restarted or the malicious request processing is terminated, creating extended downtime periods that can severely impact productivity and user access. This vulnerability directly maps to CWE-400, which addresses "Uncontrolled Resource Consumption" in software applications, and aligns with ATT&CK technique T1499.004 for "Endpoint Denial of Service" within the adversary tactics framework.
Mitigation strategies for this vulnerability should focus on implementing robust input validation and boundary length restrictions within the multipart parsing components. The application should enforce maximum boundary length limits and implement early termination logic for excessively long boundary strings to prevent the continuous character-by-character processing. Additionally, rate limiting mechanisms and request size limitations should be implemented to further protect against similar exploitation vectors. Organizations should also consider implementing proper error handling and resource monitoring to detect and respond to unusual processing patterns that may indicate exploitation attempts. Regular updates to the danswer-ai/danswer application should be prioritized to ensure that patched versions addressing this vulnerability are deployed across all production environments.