CVE-2025-71377
stoatchat before 20250210-1 Unrestricted Message History Fetch
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
stoatchat (delta) versions before 20250210-1 (0.8.2) contain a logic error in the query messages route. When fetching messages 'nearby' another message, the database query can be given a message limit of zero, which the database interprets as 'no limit'. A remote unauthenticated attacker can craft nearby message fetch requests to download an entire channel's message history in a single expensive request, and can send many such requests in parallel, resulting in denial of service through resource exhaustion.
| CWE | CWE-1025 |
| Vendor | stoatchat |
| Product | stoatchat |
| Published | Jul 16, 2026 |
| Last Updated | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for stoatchat stoatchat
Be the first to know when new unknown vulnerabilities affecting stoatchat stoatchat are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
stoatchat / stoatchat
0 < 20250210-1 (0.8.2)
References
github.com: https://github.com/stoatchat/stoatchat/security/advisories/GHSA-h7h6-7pxm-mc66 github.com: https://github.com/stoatchat/stoatchat/commit/5f84daa9dba34c103cd83a2ee1f5e5ba900bfe94 vulncheck.com: https://www.vulncheck.com/advisories/stoatchat-before-20250210-1-unrestricted-message-history-fetch