Skip to content

Asset DoS vulnerability

High
raphaelrobert published GHSA-2x9x-vh27-h4rv Jun 3, 2021

Package

No package listed

Affected versions

<= 3.80

Patched versions

3.81

Description

Impact

DoS between users

If a user has an invalid assetID for his/her profile picture and it contains the " character it will cause the iOS client to crash.

Patches

When we schedule the request to fetch the invalid asset it's not possible to create the URL object since the path contains an illegal URL character. This will in turn trigger an assertion which crashes the app. We can avoid this by not scheduling a request for fetching an asset with an ID containing invalid characters.

Fix: 35af3f6

Credits

Reported by Kane Gamble.

Severity

High

CVE ID

CVE-2021-32666

Weaknesses

No CWEs