CVE-2025-0191 in ChuanhuChatGPT
Summary
by MITRE • 03/20/2025
A Denial of Service (DoS) vulnerability exists in the file upload feature of gaizhenbiao/chuanhuchatgpt version 20240914. The vulnerability is due to improper handling of form-data with a large filename in the file upload request. By sending a payload with an excessively large filename, the server becomes overwhelmed and unresponsive, leading to unavailability for legitimate users.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/09/2025
The vulnerability identified as CVE-2025-0191 represents a critical denial of service weakness within the chuanhuchatgpt application version 20240914. This issue specifically targets the file upload functionality, which serves as a potential attack vector for disrupting service availability. The flaw manifests when the application processes form-data containing unusually long filenames, creating a scenario where server resources become consumed to the point of complete unresponsiveness. The root cause lies in the application's insufficient validation and handling mechanisms for file metadata, particularly filename length parameters that are not properly constrained or sanitized.
The technical implementation of this vulnerability exploits the lack of input validation controls within the file upload processing pipeline. When a malicious actor submits a file upload request containing an extraordinarily long filename, the server allocates memory and processing cycles to handle this oversized parameter without proper bounds checking. This behavior creates a resource exhaustion condition where the application's memory allocation mechanisms become overwhelmed, leading to system instability and eventual service termination. The vulnerability operates at the application layer and can be triggered through standard http file upload requests, making it particularly dangerous as it requires no specialized tools or privileges beyond normal user access. This weakness falls under the CWE-400 category of Uncontrolled Resource Consumption, specifically targeting the improper handling of resource parameters in web applications. The attack pattern aligns with the ATT&CK technique T1499.004 which describes Network Denial of Service attacks through resource exhaustion.
The operational impact of CVE-2025-0191 extends beyond simple service disruption, potentially affecting business continuity and user experience for legitimate system users. When exploited, this vulnerability can cause cascading failures within the application's resource management subsystem, leading to complete service unavailability for extended periods. The affected system becomes vulnerable to sustained denial of service attacks that can be executed with minimal technical expertise, making it particularly concerning for production environments. Organizations relying on this application for critical operations face significant risk of service interruption, potential data loss, and reputational damage. The vulnerability's exploitation can occur through automated tools, enabling mass deployment of denial of service attacks that overwhelm server capacity and prevent legitimate user access to the application's file upload functionality.
Mitigation strategies for this vulnerability should focus on implementing robust input validation and resource limiting mechanisms within the application's file upload processing. The primary recommendation involves establishing strict bounds checking for filename parameters, including maximum length restrictions that prevent oversized file metadata from being processed. Implementing rate limiting and resource quotas for file upload operations can help prevent resource exhaustion attacks from succeeding. Additionally, deploying proper error handling and timeout mechanisms ensures that even malformed requests do not cause system-wide failures. Security teams should also consider implementing web application firewalls with content filtering capabilities to detect and block suspicious file upload patterns. Regular security assessments and code reviews focusing on input validation controls should be conducted to identify similar vulnerabilities in other application components. The fix should include immediate patching of the application to enforce filename length limits and implement proper resource management controls that prevent excessive memory allocation during file upload processing, thereby addressing the core weakness that enables this denial of service condition.