CVE-2026-50882
Description
An issue in anna-is-cute paste v0.1.1 allows Denial of Service via a crafted POST request to /api/v0/pastes due to lack of decompressed size limit.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An issue in anna-is-cute paste v0.1.1 allows Denial of Service via a crafted POST request to /api/v0/pastes due to lack of decompressed size limit.
Vulnerability
The vulnerability resides in the /api/v0/pastes endpoint of anna-is-cute paste v0.1.1. The endpoint accepts JSON Paste objects that can include compressed content encoded in base64 (using gzip or xz). During deserialization, the server decompresses this content before storage; however, no limit is enforced on the decompressed size. The request-size restriction applies only to the compressed representation, allowing a small JSON payload to expand into a much larger allocation and file write. Affected version: 0.1.1 [1].
Exploitation
An attacker with network access to the paste service can craft a POST request to /api/v0/pastes containing highly compressible content (e.g., repeated patterns) that decompresses to many times its original size. No authentication or prior access is required. The steps are: (1) create a JSON payload where the content field is a base64-encoded, compressed string that expands significantly; (2) send the request to the endpoint; (3) observe the server allocate memory during decompression and then write a large file to disk via create_file. Repeating this request rapidly can amplify resource consumption [1].
Impact
Successful exploitation causes a Denial of Service (DoS) through memory pressure or disk exhaustion. The server decompresses the content and writes the resulting large payload to disk without size checks, consuming resources proportional to the decompressed size rather than the submitted JSON size. A remote, unauthenticated attacker can repeatedly trigger this to degrade or crash the service. No data confidentiality or integrity is compromised, but availability is severely affected [1].
Mitigation
No official fix has been published for this CVE as of the disclosure date. The reference [1] does not provide a patched version or workaround. Operators should consider implementing an explicit limit on decompressed content size before or during deserialization, and monitor for unusual request patterns. Until a fix is available, restricting access to the paste endpoint or applying a web application firewall rule to reject oversized decompressed content may reduce risk.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =0.1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing expanded-size limit before or during decompression of compressed base64 paste content allows a small request to force large memory allocation and disk writes."
Attack vector
An attacker sends a crafted JSON POST request to `/api/v0/pastes` containing a `content` field that uses the supported gzip or xz base64 representation. The compressed payload is small enough to pass any JSON request-size limit, but upon deserialization the server decompresses it into a much larger body. The expanded content is then allocated in memory and written to disk by `create_file`, causing memory pressure or disk exhaustion. Repeating the request amplifies the resource consumption, leading to a denial of service [ref_id=1].
Affected code
The vulnerability resides in the `POST /api/v0/pastes` endpoint and the `webserver/src/database/models/pastes.rs::create_file` function. The `gzip_base64_serde` and `xz_base64_serde` deserialization paths decompress paste content before any expanded-size limit is enforced, and the resulting large data is written to disk by `create_file` [ref_id=1].
What the fix does
The advisory identifies that the missing safeguard is an expanded-size limit before or during decompression and before writing the resulting paste file. No patch is included in the bundle, so the recommended remediation is to enforce a maximum decompressed size check either during the `gzip_base64_serde`/`xz_base64_serde` deserialization step or immediately after decompression, preventing oversized content from being allocated or stored [ref_id=1].
Preconditions
- networkThe attacker must be able to reach the POST /api/v0/pastes endpoint (no authentication is mentioned, so anonymous access is assumed).
- inputThe attacker must craft a JSON payload whose compressed base64 content expands to a much larger size upon decompression.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.