CVE-2025-53531: Uncontrolled Resource Consumption in WeGIA parameter fid
CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-53531
Summary
The Wegia server has a vulnerability that allows excessively long HTTP GET requests to a specific URL. This issue arises from the lack of validation for the length of the fid parameter. Tests confirmed that the server processes URLs up to 8,142 characters, resulting in high resource consumption, elevated latency, timeouts, and read errors. This makes the server susceptible to Denial of Service (DoS) attacks.
Details
Vulnerable Endpoint: GET https://comfirewall.wegia.org:8000/WeGIA?fid=111251&file_url=111256¶m1=AAAA¶m2=BBBB¶m3=CCCC...
- The URL accepts parameters concatenated with
&, allowing attackers to add an arbitrary amount of data up to 8,142 characters. - There is no validation for the total URL length or the number of parameters processed by the server.
- During testing, the URL was extended with repeated parameters (
¶m=-value-), causing resource exhaustion and server instability.
PoC
Steps to reproduce the issue:
- Execute the following HTTP GET request to reproduce the issue:
| |
- To simulate a high-load attack, use the
wrktool:
| |
Updated Test Results with wrk:
- Requests Processed: 20,799 requests in 1 minute, with 330.90 MB read.
- Average Latency: 280.91ms, peaking at 2 seconds.
- Errors: 98 read errors and 591 timeouts occurred.
- Request Rate: 346.07 requests/sec.
- Data Transfer: 5.51 MB/sec.
Impact
This is a Denial of Service vulnerability. Any unauthenticated user with access to tools like OWASP ZAP can exploit this issue to make the server unresponsive. This affects the availability of the application and could disrupt business operations. The lack of rate limiting and recursive crawling restrictions increases the risk and makes the vulnerability exploitable by low-skilled attackers.
Reference
https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-4ffc-f23j-54m3
Finder
Contributors
By: CVE-Hunters