Summary
DoS vulnerabilities persist in ESAPI file uploads despite remediation of CVE-2023-24998
Related to
CVE-2023-24998
Workarounds
- See the 'Solutions' section of Security Bulletin 11, in the References section. If you are not using ESAPI file uploads, see also the 'Workarounds' section.
- Deploy an external WAF or other suitable DoS protection.
- Add additional defenses to your code using HTTPUtilities.getFileUpload, such as requiring prior authentication, restricting how many / much content can be uploaded per user per day or per hour, etc. (It is the opinion of the ESAPI development team that such required controls should not be added to ESAPI because it is a general purpose security library and thus ESAPI ought not be enforcing generic policies like these on everyone, especially it it could break existing code bases.)
References
Security Bulletin 11: How Does CVE-2023-24998 Impact ESAPI?
New ESAPI 2.5.2.0 or later Javadoc on HTTPUtilities.getFileUploads: https://javadoc.io/static/org.owasp.esapi/esapi/2.5.2.0/org/owasp/esapi/HTTPUtilities.html#getFileUploads-javax.servlet.http.HttpServletRequest-java.io.File-java.util.List-
(Note: This link won't work until the 2.5.2.0 release is made official.)
Final Word
(Especially to GitHub Advance Security team / GitHub as a CNA) -- I do not really wish to file a CVE for this. I had originally considered it, but there is no real way to address the general DoS scenarios for file uploads without breaking ESAPI client code which we are not willing to do. The clients have to take some responsibility for this themselves. In the next ESAPI release, I am going to add a reference to the appropriate Javadoc to this GitHub Security Advisory, but that's the best we can do. If you wish to discuss this with me, please first contact me via email at [email protected].
Impact
ESAPI 2.5.2.0 and later addressed the DoS vulnerability described in CVE-2023-24998, which Apache Commons FileUpload 1.5 attempted to remediate. But while writing up a new security bulletin regarding the impact on the affected ESAPI HTTPUtilities.getFileUploads methods (or more specifically those methods in the DefaultHTTPUtilities implementation class), I realized that a DoS vulnerability still persists in ESAPI and for that matter in Apache Commons FileUpload as well.
GHSA-7C2Q-5QMR-V76Q has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.5.2.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
ESAPI 2.5.2.0 or later.
Frequently Asked Questions
- What is GHSA-7C2Q-5QMR-V76Q? GHSA-7C2Q-5QMR-V76Q is a high-severity security vulnerability in org.owasp.esapi:esapi (maven), affecting versions < 2.5.2.0. It is fixed in 2.5.2.0.
- How severe is GHSA-7C2Q-5QMR-V76Q? GHSA-7C2Q-5QMR-V76Q has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of org.owasp.esapi:esapi are affected by GHSA-7C2Q-5QMR-V76Q? org.owasp.esapi:esapi (maven) versions < 2.5.2.0 is affected.
- Is there a fix for GHSA-7C2Q-5QMR-V76Q? Yes. GHSA-7C2Q-5QMR-V76Q is fixed in 2.5.2.0. Upgrade to this version or later.
- Is GHSA-7C2Q-5QMR-V76Q exploitable, and should I be worried? Whether GHSA-7C2Q-5QMR-V76Q is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-7C2Q-5QMR-V76Q is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-7C2Q-5QMR-V76Q? Upgrade
org.owasp.esapi:esapito 2.5.2.0 or later.