| 제목 | aiwaves-cn agents latest Uncontrolled Resource Consumption (CWE-400) |
|---|
| 설명 | # Technical Details
An Unauthenticated Denial of Service (DoS) vulnerability exists in the `recall_relevant_memories_to_working_memory` method in `core/cat/looking_glass/stray_cat.py` of agents (cheshire_cat_core).
The application fails to truncate or limit the size of incoming user message payloads (`user_message_json.text`) before passing them to the underlying `tiktoken` encoding function.
# Vulnerable Code
File: `core/cat/looking_glass/stray_cat.py`
Method: `recall_relevant_memories_to_working_memory`
Why: The `tiktoken` library (written in Rust) imposes a stack depth limit. When given an excessively large string, it panics with a `StackOverflow`, issuing a fatal exception that terminates the Python FastAPI worker process serving the request.
# Reproduction
1. Start the core application on its default port (1865).
2. Construct a malicious JSON payload with 5,000,000 characters (`"A" * 5_000_000`).
3. Send it to the `/message` endpoint via a standard HTTP POST request.
4. Observe the server drop the connection, return a 500 Internal Server Error, and the worker process fatally crash.
# Impact
- Complete Denial of Service (DoS).
- Prolonged application downtime through continuous worker termination or resource exhaustion. |
|---|
| 원천 | ⚠️ https://github.com/aiwaves-cn/agents/issues/219 |
|---|
| 사용자 | Eric-b (UID 96354) |
|---|
| 제출 | 2026. 04. 23. AM 09:44 (1 월 ago) |
|---|
| 모더레이션 | 2026. 05. 11. PM 03:18 (18 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 362606 [aiwaves-cn agents 까지 e8c4e3c2d19739d3dff59e577d1c97090cc15f59 cheshire_cat_core stray_cat.py recall_relevant_memories_to_working_memory 서비스 거부] |
|---|
| 포인트들 | 20 |
|---|