{"id":"CVE-2018-16789","details":"libhttp/url.c in shellinabox through 2.20 has an implementation flaw in the HTTP request parsing logic. By sending a crafted multipart/form-data HTTP request, an attacker could exploit this to force shellinaboxd into an infinite loop, exhausting available CPU resources and taking the service down.","modified":"2026-04-11T11:40:01.609125Z","published":"2019-03-21T16:00:22.547Z","references":[{"type":"ADVISORY","url":"https://code.google.com/archive/p/shellinabox/issues"},{"type":"FIX","url":"http://packetstormsecurity.com/files/149978/Shell-In-A-Box-2.2.0-Denial-Of-Service.html"},{"type":"FIX","url":"http://seclists.org/fulldisclosure/2018/Oct/50"},{"type":"FIX","url":"https://github.com/shellinabox/shellinabox/commit/4f0ecc31ac6f985e0dd3f5a52cbfc0e9251f6361"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/shellinabox/shellinabox","events":[{"introduced":"0"},{"last_affected":"5c7fb5cde2d2a74775af040549bb5cb11aae6790"},{"fixed":"4f0ecc31ac6f985e0dd3f5a52cbfc0e9251f6361"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.20"}]}}],"versions":["v2.11","v2.12","v2.13","v2.14","v2.15","v2.15-rc2","v2.16","v2.17","v2.18","v2.19","v2.20"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/shellinabox/shellinabox/commit/4f0ecc31ac6f985e0dd3f5a52cbfc0e9251f6361","signature_type":"Line","target":{"file":"libhttp/url.c"},"signature_version":"v1","deprecated":false,"id":"CVE-2018-16789-95780f45","digest":{"line_hashes":["108587633537507210242609878158511307392","108587633537507210242609878158511307392","55349953397407534518078989044189755933","200263102641848300981171117296208127289"],"threshold":0.9}},{"source":"https://github.com/shellinabox/shellinabox/commit/4f0ecc31ac6f985e0dd3f5a52cbfc0e9251f6361","signature_type":"Function","target":{"file":"libhttp/url.c","function":"urlParsePostBody"},"signature_version":"v1","deprecated":false,"id":"CVE-2018-16789-faaf7bc7","digest":{"length":1668,"function_hash":"312959051071918327107693244833019918451"}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-16789.json","vanir_signatures_modified":"2026-04-11T11:40:01Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}