{"uuid": "b0a0b163-1d30-42de-bbf0-db18385b49e7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-V25J-WQCW-FVHJ", "type": "seen", "source": "https://gist.github.com/alon710/b27f7301077d94aa9dd0bb4f02951091", "content": "# GHSA-V25J-WQCW-FVHJ: GHSA-V25J-WQCW-FVHJ: Uncontrolled Resource Consumption via Unbounded Date Sequences in wger\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-05-13\n> **Full Report:** https://cvereports.com/reports/GHSA-V25J-WQCW-FVHJ\n\n## Summary\nwger is susceptible to an authenticated Denial of Service (DoS) vulnerability due to uncontrolled resource consumption (CWE-400). The flaw resides in the application's handling of date sequences within routine configurations, allowing authenticated attackers to exhaust server resources by defining enormous date ranges.\n\n## TL;DR\nAuthenticated attackers can trigger a Denial of Service by creating workout routines with excessively large date ranges, causing unbounded loops that exhaust server CPU and worker threads.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-400\n- **Attack Vector**: Network (Authenticated API)\n- **Impact**: Denial of Service (CPU Exhaustion)\n- **Exploit Status**: Proof-of-Concept\n- **Patch Status**: Available\n- **CVSS Severity**: High (7.5 estimated)\n\n## Affected Systems\n\n- wger Workout Manager backend API\n- **wger**: < commit 5f07a4473e2c32d298c8cdd31d78e5107840039c\n\n## Mitigation\n\n- Upgrade to a patched version incorporating the 120-day duration limit.\n- Implement WAF rules limiting the date range in POST/PATCH requests to routine endpoints.\n- Sanitize the database to remove existing malicious routine entries.\n\n**Remediation Steps:**\n1. Update the wger deployment to include commit 5f07a4473e2c32d298c8cdd31d78e5107840039c.\n2. Query the database for existing routines exceeding 120 days and delete or truncate them.\n3. Implement network-level rate limiting on the `/api/v1/routine/` endpoint.\n\n## References\n\n- [GitHub Advisory GHSA-V25J-WQCW-FVHJ](https://github.com/advisories/GHSA-V25J-WQCW-FVHJ)\n- [Fix Commit 5f07a4473e2c32d298c8cdd31d78e5107840039c](https://github.com/wger-project/wger/commit/5f07a4473e2c32d298c8cdd31d78e5107840039c)\n- [wger-project GitHub Repository](https://github.com/wger-project/wger)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-V25J-WQCW-FVHJ) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-13T16:40:29.000000Z"}