HIGH 7.5
PYSEC-2026-1861
Quivr unauthenticated Denial of Service (DoS) via Multipart Boundary
Details
A Denial of Service (DoS) vulnerability in the file upload feature of stangirard/quivr v0.0.298 allows unauthenticated attackers to cause excessive resource consumption by appending characters to the end of a multipart boundary in an HTTP request. This leads to the server continuously processing each character, rendering the service unavailable and impacting all users.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / quivr-core
Introduced in:
0 No fixed version published yet for quivr-core (pip). Pin to a known-safe version or switch to an alternative.
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-9229 [ADVISORY]
- https://github.com/QuivrHQ/quivr [PACKAGE]
- https://github.com/QuivrHQ/quivr/blob/6b07a63e4e969d003710d6f6c6b9df36fd6ea803/backend/api/quivr_api/modules/upload/service/upload_file.py#L68-L101 [WEB]
- https://huntr.com/bounties/946a412d-422f-4623-bb1d-d2646ad23dfd [WEB]
- https://pypi.org/project/quivr-core [PACKAGE]
- https://github.com/advisories/GHSA-m76r-xqqj-mqmv [ADVISORY]