Bug #62
closedImproper Handling of Malformed Multipart Requests Leading to Potential Connection Exhaustion (API-WEB)
Description
The /api/clients/add endpoint does not properly handle malformed multipart/form-data requests. When an incorrect multipart boundary is provided, the server does not reject the request and instead keeps the connection open without returning a response.
This indicates that:
- Multipart parsing does not fail fast on invalid input
- No request parsing timeout is enforced
- Connections remain open while the server waits for completion of the request body
Proof of Concept (PoC)¶
- Send malformed multipart request
Header:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryABC
Body (intentionally incorrect boundary):
------WebKitFormBoundaryABC
Content-Disposition: form-data; name="first_name"
test
------WebKitFormBoundaryABC2
-
Observed behavior
No HTTP response returned
No status code received
Connection remains open indefinitely
Tool show request as pending (e.g., size = -1) -
Validation
When boundary is corrected → request completes successfully
When malformed → request hangs indefinitely
Testing Performed¶
Opened 100+ concurrent malformed requests
Observed:
- Connections remained open
- No immediate service disruption
- Legitimate requests continued to succeed
Observed Behavior
Server accepts malformed request but does not terminate it
No timeout or error response is triggered
Connections persist indefinitely until manually closed
Expected Behavior
Server should:
- Immediately reject malformed multipart requests with:
HTTP/1.1 400 Bad Request
OR - Enforce request/body read timeout and close connection