CVE-2025-1451

CVE-2025-1451 is a vulnerability in parisneo/lollms-webui version 13, stemming from the server's improper handling of multipart boundaries in file uploads. The server does not limit or validate the length of the boundary or the characters appended to it, allowing attackers to craft requests with excessively long boundaries. This triggers resource exhaustion, leading to denial of service (DoS). An attempted patch in commit 483431bb blocks hyphen characters appended to the multipart boundary, but the fix is insufficient, as the server remains vulnerable when other characters such as '4' or 'a' are used. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-770.

Remote attackers without authentication or privileges can exploit this vulnerability by sending specially crafted file upload requests featuring oversized multipart boundaries. Exploitation consumes excessive server resources, resulting in service unavailability and DoS, with no impact on confidentiality or integrity.

The Huntr advisory at https://huntr.com/bounties/63f5aea4-953b-4b38-9f10-3afe425be1d4 details the incomplete nature of the commit 483431bb patch and confirms ongoing vulnerability to non-hyphen characters. Practitioners should apply any subsequent patches, enforce strict multipart boundary validation, and monitor for resource usage anomalies until full mitigation is confirmed.