CVE-2024-31992

Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, the safe_scrape_html function utilizes a user-controlled URL to issue a request to a remote server, however these requests are not rate-limited. While there are efforts to prevent DDoS by implementing a timeout on requests, it is possible for an attacker to issue a large number of requests to the server which will be handled in batches based on the configuration of the Mealie server. The chunking of responses is helpful for mitigating memory exhaustion on the Mealie server, however a single request to an arbitrarily large external file (e.g. a Debian ISO) is often sufficient to completely saturate a CPU core assigned to the Mealie container. Without rate limiting in place, it is possible to not only sustain traffic against an external target indefinitely, but also to exhaust the CPU resources assigned to the Mealie container. This vulnerability is fixed in 1.4.0.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/mealie-recipes/mealie/blob/mealie-next/mealie/services/scraper/scraper_strategies.py#L27-L70	Product
https://github.com/mealie-recipes/mealie/commit/2a3463b7466bc297aede50046da9550d919ec56f	Patch
https://github.com/mealie-recipes/mealie/pull/3368	Issue Tracking
https://securitylab.github.com/advisories/GHSL-2023-225_GHSL-2023-226_Mealie/	Third Party Advisory
https://github.com/mealie-recipes/mealie/blob/mealie-next/mealie/services/scraper/scraper_strategies.py#L27-L70	Product
https://github.com/mealie-recipes/mealie/commit/2a3463b7466bc297aede50046da9550d919ec56f	Patch
https://github.com/mealie-recipes/mealie/pull/3368	Issue Tracking
https://securitylab.github.com/advisories/GHSL-2023-225_GHSL-2023-226_Mealie/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mealie:mealie:*:*:*:*:*:*:*:*

History

07 Mar 2025, 12:36

Type	Values Removed	Values Added
CWE		CWE-770
CPE		cpe:2.3:a:mealie:mealie::::::::
First Time		Mealie mealie Mealie
References	~~() https://github.com/mealie-recipes/mealie/blob/mealie-next/mealie/services/scraper/scraper_strategies.py#L27-L70 -~~	() https://github.com/mealie-recipes/mealie/blob/mealie-next/mealie/services/scraper/scraper_strategies.py#L27-L70 - Product
References	~~() https://github.com/mealie-recipes/mealie/commit/2a3463b7466bc297aede50046da9550d919ec56f -~~	() https://github.com/mealie-recipes/mealie/commit/2a3463b7466bc297aede50046da9550d919ec56f - Patch
References	~~() https://github.com/mealie-recipes/mealie/pull/3368 -~~	() https://github.com/mealie-recipes/mealie/pull/3368 - Issue Tracking
References	~~() https://securitylab.github.com/advisories/GHSL-2023-225_GHSL-2023-226_Mealie/ -~~	() https://securitylab.github.com/advisories/GHSL-2023-225_GHSL-2023-226_Mealie/ - Third Party Advisory

21 Nov 2024, 09:14

Type	Values Removed	Values Added
References	~~() https://github.com/mealie-recipes/mealie/blob/mealie-next/mealie/services/scraper/scraper_strategies.py#L27-L70 -~~	() https://github.com/mealie-recipes/mealie/blob/mealie-next/mealie/services/scraper/scraper_strategies.py#L27-L70 -
References	~~() https://github.com/mealie-recipes/mealie/commit/2a3463b7466bc297aede50046da9550d919ec56f -~~	() https://github.com/mealie-recipes/mealie/commit/2a3463b7466bc297aede50046da9550d919ec56f -
References	~~() https://github.com/mealie-recipes/mealie/pull/3368 -~~	() https://github.com/mealie-recipes/mealie/pull/3368 -
References	~~() https://securitylab.github.com/advisories/GHSL-2023-225_GHSL-2023-226_Mealie/ -~~	() https://securitylab.github.com/advisories/GHSL-2023-225_GHSL-2023-226_Mealie/ -

22 Apr 2024, 13:28

Type	Values Removed	Values Added
Summary		(es) Mealie es un administrador de recetas y planificador de comidas autónomo. Antes de 1.4.0, la función safe_scrape_html utiliza una URL controlada por el usuario para emitir una solicitud a un servidor remoto; sin embargo, estas solicitudes no tienen una velocidad limitada. Si bien se están realizando esfuerzos para evitar DDoS implementando un tiempo de espera en las solicitudes, es posible que un atacante emita una gran cantidad de solicitudes al servidor que se manejarán en lotes según la configuración del servidor Mealie. La fragmentación de las respuestas es útil para mitigar el agotamiento de la memoria en el servidor Mealie; sin embargo, una sola solicitud a un archivo externo arbitrariamente grande (por ejemplo, una ISO de Debian) suele ser suficiente para saturar completamente un núcleo de CPU asignado al contenedor Mealie. Sin una limitación de velocidad, es posible no solo mantener el tráfico contra un objetivo externo indefinidamente, sino también agotar los recursos de CPU asignados al contenedor Mealie. Esta vulnerabilidad se solucionó en 1.4.0.

19 Apr 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-19 21:15

Updated : 2025-03-07 12:36

NVD link : CVE-2024-31992

Mitre link : CVE-2024-31992

CVE.ORG link : CVE-2024-31992

JSON object : View

Products Affected

mealie

mealie

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2024-31992", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-04-19T21:15:08.337", "references": [{"url": "https://github.com/mealie-recipes/mealie/blob/mealie-next/mealie/services/scraper/scraper_strategies.py#L27-L70", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mealie-recipes/mealie/commit/2a3463b7466bc297aede50046da9550d919ec56f", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mealie-recipes/mealie/pull/3368", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://securitylab.github.com/advisories/GHSL-2023-225_GHSL-2023-226_Mealie/", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mealie-recipes/mealie/blob/mealie-next/mealie/services/scraper/scraper_strategies.py#L27-L70", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/mealie-recipes/mealie/commit/2a3463b7466bc297aede50046da9550d919ec56f", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/mealie-recipes/mealie/pull/3368", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://securitylab.github.com/advisories/GHSL-2023-225_GHSL-2023-226_Mealie/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, the safe_scrape_html function utilizes a user-controlled URL to issue a request to a remote server, however these requests are not rate-limited. While there are efforts to prevent DDoS by implementing a timeout on requests, it is possible for an attacker to issue a large number of requests to the server which will be handled in batches based on the configuration of the Mealie server. The chunking of responses is helpful for mitigating memory exhaustion on the Mealie server, however a single request to an arbitrarily large external file (e.g. a Debian ISO) is often sufficient to completely saturate a CPU core assigned to the Mealie container. Without rate limiting in place, it is possible to not only sustain traffic against an external target indefinitely, but also to exhaust the CPU resources assigned to the Mealie container. This vulnerability is fixed in 1.4.0."}, {"lang": "es", "value": "Mealie es un administrador de recetas y planificador de comidas aut\u00f3nomo. Antes de 1.4.0, la funci\u00f3n safe_scrape_html utiliza una URL controlada por el usuario para emitir una solicitud a un servidor remoto; sin embargo, estas solicitudes no tienen una velocidad limitada. Si bien se est\u00e1n realizando esfuerzos para evitar DDoS implementando un tiempo de espera en las solicitudes, es posible que un atacante emita una gran cantidad de solicitudes al servidor que se manejar\u00e1n en lotes seg\u00fan la configuraci\u00f3n del servidor Mealie. La fragmentaci\u00f3n de las respuestas es \u00fatil para mitigar el agotamiento de la memoria en el servidor Mealie; sin embargo, una sola solicitud a un archivo externo arbitrariamente grande (por ejemplo, una ISO de Debian) suele ser suficiente para saturar completamente un n\u00facleo de CPU asignado al contenedor Mealie. Sin una limitaci\u00f3n de velocidad, es posible no solo mantener el tr\u00e1fico contra un objetivo externo indefinidamente, sino tambi\u00e9n agotar los recursos de CPU asignados al contenedor Mealie. Esta vulnerabilidad se solucion\u00f3 en 1.4.0."}], "lastModified": "2025-03-07T12:36:39.820", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mealie:mealie:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "176FB8C0-1317-46C1-A470-EAC757778773", "versionEndExcluding": "1.4.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

6.5 /10