CVE-2018-16789
Description
ShellInABox 2.20 has a parsing flaw in libhttp/url.c that allows a crafted multipart/form-data HTTP request to trigger an infinite loop, causing CPU exhaustion and denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ShellInABox 2.20 has a parsing flaw in libhttp/url.c that allows a crafted multipart/form-data HTTP request to trigger an infinite loop, causing CPU exhaustion and denial of service.
Vulnerability
The vulnerability resides in libhttp/url.c within ShellInABox through version 2.20. The HTTP request parsing logic fails to properly handle malformed multipart/form-data boundaries. When a request contains a broken or incomplete boundary sequence, the parser enters an infinite loop, consuming 100% CPU and blocking subsequent requests. This was identified by Imre Rad on 9/9/18 and fixed in commit 4f0ecc31 for version 2.21 [1][2].
Exploitation
An attacker needs only network access to the ShellInABox service. No authentication, write access, or user interaction is required. The attacker sends a crafted HTTP POST request with multipart/form-data content where the boundary delimiter is intentionally corrupted (e.g., missing final boundary or malformed separator). The parsing loop never terminates, exhausting CPU resources and causing denial of service [1][2].
Impact
The attack results in complete CPU exhaustion on the target machine. The ShellInABox daemon (shellinaboxd) stops processing any further HTTP requests, effectively taking the service offline. No data disclosure, file write, or remote code execution occurs — the impact is strictly availability (denial of service) [1][2].
Mitigation
The fix is implemented in commit 4f0ecc31 and released in version 2.21 of ShellInABox. Users must upgrade to 2.21 or later. No workarounds are available for unpatched versions. The vulnerability is not listed in KEV as of this writing [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2v2.11, v2.12, v2.13, …+ 1 more
- (no CPE)range: v2.11, v2.12, v2.13, …
- (no CPE)range: <=2.20
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A flaw in the HTTP request parsing logic for multipart/form-data requests leads to an infinite loop."
Attack vector
An attacker can trigger this vulnerability by sending a specially crafted HTTP request with a multipart/form-data content type. This malformed request causes the server to enter an infinite loop while parsing the data. The vulnerability is described as a "DoS vulnerability" where "shellinaboxd eating up 100% cpu and not processing subsequent requests after the attack was mounted" [ref_id=1].
Affected code
The vulnerability resides within the HTTP request parsing logic in the `libhttp/url.c` file. Specifically, the issue is related to how `shellinaboxd` handles `multipart/form-data` requests. The commit message notes the detection of "broken multipart/form-data" as the fix [ref_id=1].
What the fix does
The patch introduces a check to detect "broken multipart/form-data" [ref_id=1]. If such malformed data is detected, the server now logs a warning and ignores the request, preventing the infinite loop. This change effectively stops the CPU exhaustion and denial-of-service condition by properly handling invalid multipart data.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- packetstormsecurity.com/files/149978/Shell-In-A-Box-2.2.0-Denial-Of-Service.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2018/Oct/50mitrex_refsource_MISC
- code.google.com/archive/p/shellinabox/issuesmitrex_refsource_CONFIRM
- github.com/shellinabox/shellinabox/commit/4f0ecc31ac6f985e0dd3f5a52cbfc0e9251f6361mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.