CVE-2024-10907 HIGH

CVE-2024-10907: Denial of Service (DoS) via Multipart Boundary in lm-sys/fastchat

Vendor Lm-Sys

Product lm-sys/fastchat

Weakness CWE-835

Published March 20, 2025

Last update October 15, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

In lm-sys/fastchat Release v0.2.36, the server fails to handle excessive characters appended to the end of multipart boundaries. This flaw can be exploited by sending malformed multipart requests with arbitrary characters at the end of the boundary. Each extra character is processed in an infinite loop, leading to excessive resource consumption and a complete denial of service (DoS) for all users. The vulnerability is unauthenticated, meaning no user login or interaction is required for an attacker to exploit this issue.

Key dates

02Disclosure timeline

March 20, 2025 CVE published

October 15, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-10907 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/835.html

Related vulnerabilities

CVE-2024-10907: Denial of Service (DoS) via Multipart Boundary in lm-sys/fastchat

01Description

02Disclosure timeline

03References

04Related CVE