7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2024-10907

GHSA ID

GHSA-qg86-f892-m4hj

EPSS Score

0.18792%

CWE

CWE-400

Published

3/20/2025

Updated

3/21/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-10907

CVE-2024-10907: FastChat Uncontrolled Resource Consumption vulnerability

In lm-sys/fastchat Release v0.2.36, the server fails to handle excessive characters appended to the end of multipart boundaries. This flaw can be exploited by sending malformed multipart requests with arbitrary characters at the end of the boundary. Each extra character is processed in an infinite loop, leading to excessive resource consumption and a complete denial of service (DoS) for all users. The vulnerability is unauthenticated, meaning no user login or interaction is required for an attacker to exploit this issue.

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2024-10907

GHSA ID

GHSA-qg86-f892-m4hj

EPSS Score

0.18792%

CWE

CWE-400

Published

3/20/2025

Updated

3/21/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
fschat	pip	<= 0.2.36

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers around improper handling of multipart boundary parsing leading to an infinite loop. While no patch diffs are available, the description indicates the server's multipart processor fails to validate() boundary termination. In Python web architectures, multipart parsing is typically implemented in request handlers or controller modules. The medium confidence reflects inference from vulnerability behavior rather than direct code observation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In lm-sys/**st***t R*l**s* v*.*.**, t** s*rv*r **ils to **n*l* *x**ssiv* ***r**t*rs *pp*n*** to t** *n* o* multip*rt *oun**ri*s. T*is *l*w **n ** *xploit** *y s*n*in* m*l*orm** multip*rt r*qu*sts wit* *r*itr*ry ***r**t*rs *t t** *n* o* t** *oun**ry.

Reasoning

T** vuln*r**ility **nt*rs *roun* improp*r **n*lin* o* multip*rt *oun**ry p*rsin* l***in* to *n in*init* loop. W*il* no p*t** *i**s *r* *v*il**l*, t** **s*ription in*i**t*s t** s*rv*r's multip*rt pro**ssor **ils to `v*li**t*()` *oun**ry t*rmin*tion. I

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-10907: FastChat Uncontrolled Resource Consumption vulnerability

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI