Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-10912

CVE-2024-10912: Lm-sys Fastchat DoS Vulnerability

CVE-2024-10912 is a Denial of Service flaw in Lm-sys Fastchat's file upload feature that allows attackers to overwhelm servers with large filenames. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-10912 Overview

CVE-2024-10912 is a Denial of Service (DoS) vulnerability affecting lm-sys/fastchat version 0.2.36. The flaw resides in the file upload feature, which improperly handles form-data containing an oversized filename. An unauthenticated remote attacker can submit a crafted upload request with an excessively large filename to exhaust server resources. Successful exploitation renders the FastChat service unavailable to legitimate users. The vulnerability is tracked under CWE-400: Uncontrolled Resource Consumption and carries a network attack vector requiring no privileges or user interaction.

Critical Impact

Remote unauthenticated attackers can crash or exhaust FastChat servers by submitting file upload requests with oversized filenames, disrupting availability for all users.

Affected Products

  • lm-sys FastChat version 0.2.36
  • FastChat deployments exposing the file upload endpoint
  • LLM serving stacks and chat frontends built on FastChat 0.2.36

Discovery Timeline

  • 2025-03-20 - CVE-2024-10912 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-10912

Vulnerability Analysis

FastChat is an open-source platform for training, serving, and evaluating large language model chatbots. The affected release, 0.2.36, exposes an HTTP file upload endpoint that parses multipart/form-data requests. The endpoint does not enforce an upper bound on the length of the filename parameter contained in the form-data headers.

When an attacker submits a request containing a filename of excessive length, the server allocates and processes memory proportional to that input. Repeated or single large requests overwhelm the server, degrading response times or causing termination of the FastChat worker process. Because the endpoint accepts requests without authentication, exploitation requires only network reachability to the affected instance.

Root Cause

The root cause is missing input length validation in the multipart form-data parsing path of the file upload handler. FastChat trusts the client-supplied filename field and processes it without size ceilings or rate limiting, satisfying the conditions described in CWE-400.

Attack Vector

Exploitation occurs over the network against any exposed FastChat upload endpoint. The attacker crafts a POST request with Content-Type: multipart/form-data and sets the filename attribute to an extremely long string. No credentials, tokens, or user interaction are required. The vulnerability affects availability only; confidentiality and integrity are not impacted. For technical details, see the Huntr Bug Bounty Report.

Detection Methods for CVE-2024-10912

Indicators of Compromise

  • HTTP POST requests to FastChat upload endpoints containing Content-Disposition headers with filename values exceeding several kilobytes.
  • FastChat worker processes exhibiting sustained memory growth or unexpected restarts under load.
  • Access logs showing repeated multipart uploads from a single source IP with anomalous request sizes.

Detection Strategies

  • Deploy a Web Application Firewall (WAF) rule that inspects Content-Disposition headers and blocks filenames exceeding a defined threshold, such as 255 bytes.
  • Correlate FastChat service crashes or restarts with inbound multipart upload traffic in the same window.
  • Alert on abnormal payload sizes or malformed multipart boundaries reaching the FastChat listener.

Monitoring Recommendations

  • Monitor memory and CPU utilization of FastChat worker processes and alert on sustained spikes.
  • Capture and retain HTTP request metadata for upload endpoints, including header sizes, in a centralized log store for retroactive investigation.
  • Track request-per-second rates against the upload API and flag deviations from baseline behavior.

How to Mitigate CVE-2024-10912

Immediate Actions Required

  • Restrict network exposure of FastChat upload endpoints to trusted networks or authenticated users only.
  • Place FastChat behind a reverse proxy that enforces request size and header length limits.
  • Rate-limit upload requests per source IP to reduce the impact of resource exhaustion attempts.
  • Review server logs for prior exploitation attempts matching oversized filename patterns.

Patch Information

No vendor advisory or patched version is referenced in the NVD entry at publication time. Operators of lm-sys/fastchat0.2.36 should monitor the lm-sys/FastChat GitHub repository and the Huntr Bug Bounty Report for fix availability and upgrade as soon as a corrected release is published.

Workarounds

  • Enforce a maximum filename length in an upstream proxy such as nginx using client_header_buffer_size and large_client_header_buffers directives.
  • Disable the file upload feature if it is not required by the deployment.
  • Isolate FastChat behind an authenticated gateway so unauthenticated internet traffic cannot reach the upload endpoint.
bash
# Example nginx configuration to cap upload header and body sizes
server {
    listen 443 ssl;
    server_name fastchat.example.com;

    client_max_body_size 10m;
    client_header_buffer_size 1k;
    large_client_header_buffers 4 8k;

    location /upload {
        limit_req zone=uploads burst=5 nodelay;
        proxy_pass http://fastchat_backend;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.