CVE-2026-2957 Overview
A denial of service vulnerability has been identified in qinming99 dst-admin versions up to 1.5.0. This weakness impacts the deleteBackup function within the file src/main/java/com/tugos/dst/admin/controller/BackupController.java of the File Handler component. The vulnerability allows remote attackers to cause a denial of service condition through improper resource release (CWE-404). The exploit has been made publicly available, and the vendor was contacted about this disclosure but did not respond.
Critical Impact
Remote attackers can exploit improper resource shutdown in the backup deletion functionality to cause denial of service, affecting system availability and potentially disrupting server management operations.
Affected Products
- dst-admin versions up to and including 1.5.0
- dst-admin_project dst-admin (all affected versions)
- Systems running qinming99 dst-admin with the vulnerable BackupController component
Discovery Timeline
- 2026-02-22 - CVE-2026-2957 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-2957
Vulnerability Analysis
This vulnerability exists in the dst-admin application, a web-based administration tool for managing Don't Starve Together dedicated servers. The flaw resides specifically in the deleteBackup function within the BackupController.java file located at src/main/java/com/tugos/dst/admin/controller/BackupController.java.
The vulnerability is classified under CWE-404 (Improper Resource Shutdown or Release), indicating that the application fails to properly release or clean up resources during the backup deletion process. This improper handling can be exploited remotely by authenticated attackers to consume system resources, leading to degraded performance or complete service unavailability.
The attack can be initiated over the network and requires low-privilege authentication, making it accessible to any user with basic access to the dst-admin interface. The exploitation results in limited impact to both integrity and availability of the target system.
Root Cause
The root cause of this vulnerability stems from improper resource management in the backup deletion functionality. The deleteBackup function fails to properly release file handles, memory allocations, or other system resources when processing backup deletion requests. This improper resource shutdown mechanism allows an attacker to repeatedly trigger the function, causing resource exhaustion that leads to denial of service.
Attack Vector
The attack vector is network-based, requiring only low-privilege authentication to exploit. An attacker with basic access to the dst-admin web interface can target the backup deletion endpoint. By sending specially crafted or repeated requests to the deleteBackup function, the attacker can trigger the improper resource release behavior, gradually exhausting system resources until the service becomes unresponsive or crashes.
The vulnerability does not require user interaction beyond the initial authentication, and the attack complexity is low, making it relatively straightforward to exploit once an attacker has obtained valid credentials for the dst-admin interface.
Technical details regarding the specific exploitation method can be found in the Feishu Document referenced in the vulnerability disclosure. Additional vulnerability intelligence is available through the VulDB entry #347324.
Detection Methods for CVE-2026-2957
Indicators of Compromise
- Unusual spike in requests to the backup deletion endpoint (/backup/delete or similar paths in dst-admin)
- Increased memory or file handle consumption on systems running dst-admin
- Repeated authentication attempts followed by backup-related API calls
- Service degradation or unresponsiveness of the dst-admin web interface
Detection Strategies
- Monitor HTTP access logs for abnormal patterns of requests targeting backup management endpoints
- Implement rate limiting on the deleteBackup function to prevent resource exhaustion attacks
- Configure alerting for unusual resource consumption patterns on dst-admin server processes
- Deploy web application firewalls (WAF) to detect and block suspicious request patterns
Monitoring Recommendations
- Enable detailed logging for the BackupController component to track deletion requests
- Set up resource monitoring alerts for memory usage, file descriptors, and CPU consumption
- Monitor authentication logs for accounts making excessive backup management requests
- Implement anomaly detection for API call patterns that deviate from normal usage baselines
How to Mitigate CVE-2026-2957
Immediate Actions Required
- Restrict network access to dst-admin interfaces to trusted IP addresses only
- Implement rate limiting on backup management endpoints to prevent abuse
- Review and restrict user permissions for backup deletion functionality
- Consider temporarily disabling the backup deletion feature until a patch is available
Patch Information
As of the last update, the vendor (qinming99) was contacted regarding this vulnerability but did not respond. No official patch has been released. Organizations using dst-admin should monitor the VulDB entry and the project repository for any security updates. Consider migrating to alternative server management solutions if no patch becomes available.
Workarounds
- Implement a reverse proxy with rate limiting in front of the dst-admin application
- Restrict access to the backup management functionality through firewall rules or authentication controls
- Deploy network segmentation to limit exposure of the dst-admin interface to untrusted networks
- Monitor and automatically restart the dst-admin service if resource exhaustion is detected
# Configuration example - Nginx rate limiting for dst-admin backup endpoints
# Add to nginx server configuration
location /backup {
limit_req zone=backup_limit burst=5 nodelay;
limit_req_status 429;
proxy_pass http://localhost:8080;
}
# Define rate limit zone in http block
# limit_req_zone $binary_remote_addr zone=backup_limit:10m rate=2r/s;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
