Skip to content

Latest commit

 

History

History
47 lines (30 loc) · 2.67 KB

SSTI-DoS-changedetection-io.md

File metadata and controls

47 lines (30 loc) · 2.67 KB

SSTI leading to Denial of Service in changedetection.io

Overview

  • Vulnerability Type: Server-Side Template Injection (SSTI)
  • Vendor: dgtlmoon
  • Product: changedetection.io
  • Affected Version: <= 0.51.4
  • Component: Notification Title field

Description

A Server-Side Template Injection (SSTI) vulnerability exists in changedetection.io (versions <= 0.51.4), allowing a remote attacker to cause a Denial of Service (DoS) via resource exhaustion.

The vulnerability stems from unsafe processing of user-supplied data within the Jinja2 template engine. While the application implements a SandboxedEnvironment to prevent Remote Code Execution (RCE) by blocking unsafe attributes, it fails to restrict computational complexity or memory usage for standard operations.

An attacker can inject malicious Python expressions (specifically exponential string multiplication) into the Notification Title field. When the application renders this template, the Python process attempts to allocate an abnormal amount of memory, leading to an application crash or a complete host system instability (OOM).

Steps to Reproduce

  1. Setup: Deploy a local instance of changedetection.io (e.g., using Docker).
  2. Navigate: Go to the Settings -> Notifications tab.
  3. Inject: In the Notification Title input field, insert the following Jinja2 payload:
{{ "a" * 10000000000 }}
  1. Trigger: Click the "Save" or "Send Test Notification" button.
  2. Observe:
    • The web request will hang indefinitely (browser status: "Waiting for localhost...").
    • As shown in the attached screenshots comparison:
      • Normal State: The application operates with minimal resource usage.
      • Attack State: Immediately after submitting the form with the payload, the docker stats output reveals a critical spike in resource consumption. The container's MEM USAGE rapidly escalated to over 37 GB, while CPU usage saturated the core, confirming that the application is exhausting host resources.
图片 图片

Impact

Attackers can exhaust server CPU and memory resources by injecting a specific template, rendering the application unresponsive to legitimate requests. This excessive consumption can escalate to a complete system crash (OOM) of the underlying host.

Reference