GHSA-V25J-WQCW-FVHJ: Uncontrolled Resource Consumption via Unbounded Date Sequences in wger
Vulnerability ID: GHSA-V25J-WQCW-FVHJ
CVSS Score: 7.5
Published: 2026-05-13
wger is susceptible to an authenticated Denial of Service (DoS) vulnerability due to uncontrolled resource consumption (CWE-400). The flaw resides in the application's handling of date sequences within routine configurations, allowing authenticated attackers to exhaust server resources by defining enormous date ranges.
TL;DR
Authenticated attackers can trigger a Denial of Service by creating workout routines with excessively large date ranges, causing unbounded loops that exhaust server CPU and worker threads.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-400
- Attack Vector: Network (Authenticated API)
- Impact: Denial of Service (CPU Exhaustion)
- Exploit Status: Proof-of-Concept
- Patch Status: Available
- CVSS Severity: High (7.5 estimated)
Affected Systems
- wger Workout Manager backend API
- wger: < commit 5f07a4473e2c32d298c8cdd31d78e5107840039c
Code Analysis
Commit: 5f07a44
Move routine validation to the serializer
Mitigation Strategies
- Upgrade to a patched version incorporating the 120-day duration limit.
- Implement WAF rules limiting the date range in POST/PATCH requests to routine endpoints.
- Sanitize the database to remove existing malicious routine entries.
Remediation Steps:
- Update the wger deployment to include commit 5f07a4473e2c32d298c8cdd31d78e5107840039c.
- Query the database for existing routines exceeding 120 days and delete or truncate them.
- Implement network-level rate limiting on the
/api/v1/routine/endpoint.
References
- GitHub Advisory GHSA-V25J-WQCW-FVHJ
- Fix Commit 5f07a4473e2c32d298c8cdd31d78e5107840039c
- wger-project GitHub Repository
Read the full report for GHSA-V25J-WQCW-FVHJ on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)