3 matches found
CVE-2026-44981
CrowdSec LAPI is affected. The LAPI router uses gin-contrib/gzip with DefaultDecompressHandle globally in pkg/apiserver/controllers/controller.go, causing unauthenticated gzip payloads to be decompressed on /v1/watchers and /v1/watchers/login without a maximum decompressed size, which can trigger...
GHSA-273H-GVWR-C3QJ CrowdSec LAPI: Denial of Service via Unbounded Gzip Decompression
The LAPI router uses gin-contrib/gzip with DefaultDecompressHandle globally pkg/apiserver/controllers/controller.go. This middleware decompresses incoming request bodies without enforcing a maximum decompressed size. The endpoints /v1/watchers or /v1/watchers/login require no authentication. An...
CrowdSec LAPI: Denial of Service via Unbounded Gzip Decompression
The LAPI router uses gin-contrib/gzip with DefaultDecompressHandle globally pkg/apiserver/controllers/controller.go. This middleware decompresses incoming request bodies without enforcing a maximum decompressed size. The endpoints /v1/watchers or /v1/watchers/login require no authentication. An...