CVE-2024-10935 Overview
CVE-2024-10935 affects automatic1111/stable-diffusion-webui version 1.10.0. The server improperly handles excessive characters appended to multipart boundary values in HTTP requests. Attackers send malformed multipart requests with arbitrary characters at the end of the boundary to trigger excessive resource consumption. The result is a complete denial of service that blocks all users from the application.
The flaw requires no authentication and no user interaction. Any unauthenticated attacker with network reach to the service can disrupt operations. The weakness is classified under CWE-770: Allocation of Resources Without Limits or Throttling.
Critical Impact
Unauthenticated remote attackers can cause complete service unavailability of stable-diffusion-webui 1.10.0 by sending crafted multipart HTTP requests.
Affected Products
- automatic1111 stable-diffusion-webui 1.10.0
- Deployments exposing the WebUI over HTTP/HTTPS
- Self-hosted stable-diffusion-webui instances accessible from untrusted networks
Discovery Timeline
- 2025-03-20 - CVE-2024-10935 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-10935
Vulnerability Analysis
The vulnerability resides in the multipart request parsing logic of stable-diffusion-webui 1.10.0. Multipart HTTP requests use a boundary string to separate content parts. RFC 7578 defines constraints on boundary formatting and length. The affected server does not enforce these constraints when parsing the boundary field.
When an attacker appends excessive characters to the boundary value, the parser consumes disproportionate CPU and memory to process the malformed input. The condition qualifies as an algorithmic complexity issue, mapped to CWE-770 for missing resource throttling. Successful exploitation exhausts server resources and prevents legitimate requests from being served.
Root Cause
The root cause is missing input validation on multipart boundary length and content. The server accepts arbitrarily long boundary values without imposing size limits or rate throttling. No upstream sanitization discards oversized boundaries before they reach the parser.
Attack Vector
The attack vector is network-based. An attacker sends HTTP POST requests with a Content-Type: multipart/form-data; boundary=... header containing excessive characters appended to the boundary token. Repeated requests amplify resource consumption until the service stops responding.
Exploitation requires no credentials and no user interaction. Any endpoint of the WebUI accepting multipart form data is a candidate target. Refer to the Huntr Bounty Listing for reported technical context.
No verified proof-of-concept code is published for CVE-2024-10935.
The vulnerability is triggered by malformed multipart HTTP requests
with excessive characters appended to the boundary parameter.
Detection Methods for CVE-2024-10935
Indicators of Compromise
- Unusually large Content-Type headers containing multipart boundary strings exceeding typical lengths (over 200 characters).
- Sudden spike in CPU or memory usage on hosts running stable-diffusion-webui correlated with inbound HTTP POST traffic.
- Repeated 5xx responses or request timeouts from the WebUI service under sustained POST traffic.
Detection Strategies
- Inspect HTTP request headers at the reverse proxy or WAF for anomalous boundary length in multipart/form-data requests.
- Rate-limit and log inbound requests per source IP targeting the WebUI, flagging bursts of large multipart requests.
- Correlate process resource metrics on WebUI hosts with request logs to identify DoS attempts in progress.
Monitoring Recommendations
- Enable verbose HTTP access logging including full Content-Type header values for the WebUI.
- Monitor service availability with active health checks and alert on latency degradation.
- Track EPSS trend for CVE-2024-10935 to prioritize patch cycles as exploitation likelihood shifts.
How to Mitigate CVE-2024-10935
Immediate Actions Required
- Restrict network exposure of stable-diffusion-webui to trusted networks or authenticated VPN clients.
- Deploy a reverse proxy (nginx, Caddy, or equivalent) in front of the WebUI to enforce request header size limits.
- Apply rate limiting on POST endpoints to constrain resource consumption per client.
Patch Information
No vendor advisory URL is listed in the NVD record for CVE-2024-10935. Monitor the automatic1111/stable-diffusion-webui GitHub repository for releases beyond 1.10.0 that address multipart parsing. Upgrade to a fixed version once published and validate the change in a staging environment before production rollout.
Workarounds
- Configure the fronting reverse proxy to reject requests with Content-Type headers exceeding a strict length threshold.
- Terminate TLS and inspect multipart boundaries at a WAF that supports boundary validation.
- Isolate the WebUI behind authentication middleware to remove unauthenticated network reachability.
# nginx example: cap client header size and request rate for the WebUI
http {
limit_req_zone $binary_remote_addr zone=sdwebui:10m rate=5r/s;
large_client_header_buffers 4 8k;
client_header_buffer_size 1k;
server {
listen 443 ssl;
server_name sdwebui.example.internal;
location / {
limit_req zone=sdwebui burst=10 nodelay;
client_max_body_size 25m;
proxy_pass http://127.0.0.1:7860;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

