GHSA-5X67-J5XG-C5GJ: GHSA-5X67-J5XG-C5GJ: Denial of Service via Uncontrolled Resource Consumption in Bugsink Ingestion Pipeline

GHSA-5X67-J5XG-C5GJ: Denial of Service via Uncontrolled Resource Consumption in Bugsink Ingestion Pipeline

Vulnerability ID: GHSA-5X67-J5XG-C5GJ
CVSS Score: 4.3
Published: 2026-06-05

Bugsink, a Sentry-compatible self-hosted error tracker written in Python and Django, is vulnerable to a denial of service (DoS) in versions up to and including 2.2.1. The system's ingestion pipeline historically processed every metadata tag supplied with an incoming error event without bounding the maximum number of tags. Because database writes are serialized in Bugsink's typical single-writer architecture, a single event payload carrying an excessive number of tags can monopolize the database write lock, halting event processing for all other users.

TL;DR

Unbounded metadata tag processing in Bugsink allows unauthenticated users with a valid Project DSN to exhaust database write resources, resulting in a denial of service.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-400
• Attack Vector: Network
• CVSS v3.1: 4.3 (Medium)
• EPSS Score: Not Available
• Impact: Denial of Service (Availability)
• Exploit Status: Proof of Concept
• KEV Status: Not Listed

Affected Systems

• Bugsink (PyPI Package)
• bugsink: <= 2.2.1 (Fixed in: 2.2.2)

Code Analysis

Commit: 8dca571

fix(tags): cap tags stored per event (MAX_EVENT_TAGS, default 1000)

Commit: 1d0539f

Max event tags: part 2

Exploit Details

• GitHub Security Advisory: Proof of concept and threat analysis details documented within the official advisory.

Mitigation Strategies

• Upgrade to Bugsink version 2.2.2 or higher to enforce automatic tag limits.
• Manually configure MAX_EVENT_TAGS to a low value (e.g., 50 or 100) in environment settings if running an older release.
• Implement request size limits at the reverse proxy or Web Application Firewall (WAF) level to block oversized JSON payloads on the ingestion endpoints.

Remediation Steps:

1. Identify the current Bugsink version via package configuration or deployment specifications.
2. Execute pip installation upgrade command: pip install --upgrade bugsink>=2.2.2.
3. Restart the Bugsink server process to apply changes and verify configuration parameters.
4. Monitor server logs for 'bugsink.ingest' warnings to identify truncated payloads or exploit attempts.

References

• GHSA-5X67-J5XG-C5GJ Security Advisory
• Bugsink Repository Advisory Link
• Bugsink Release v2.2.2
• Bugsink Project Homepage

---

Read the full report for GHSA-5X67-J5XG-C5GJ on our website for more details including interactive diagrams and full exploit analysis.