CVE-2024-58259

Aliases:GHSA-4h45-jpvh-6p5jGO-2025-3923

Advisory lineage Upstream: 0 Downstream: 2

Downstream

OPENSUSE-SU-2025:15538-1 SUSE-SU-2025:03289-1

Deferred

Published: 02 Sept 2025, 11:53

Last modified:02 Sept 2025, 13:28

Vulnerability Summary

Overall Risk (default)

medium

33/100

CVSS Score

8.2 HIGH

v3.1 (cve.org)

EPSS Score

0.04% LOW

0% probability +0.01%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

02 Sept 2025, 11:53

Published

Vulnerability first disclosed

02 Sept 2025, 13:28

Last Modified

Vulnerability information updated

Description

A vulnerability has been identified within Rancher Manager in which it did not enforce request body size limits on certain public (unauthenticated) and authenticated API endpoints. This allows a malicious user to exploit this by sending excessively large payloads, which are fully loaded into memory during processing, leading to Denial of Service (DoS).

CVSS Metrics

v3.1•HIGH•Score: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

EPSS Trends

Current EPSS score: 0.04%• Percentile: 12%

Techniques & Countermeasures

CWE-770•Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Affected Systems

github.com/rancher•rancher
≥ 2.12.0, < 2.12.1 | ≥ 2.11.0, < 2.11.5 | ≥ 2.10.0, < 2.10.9 | ≥ 2.9.0, < 2.9.11 | < 0.0.0-20250813072957-aee95d4e2a41
suse•rancher
≥ 2.12.0, < 2.12.1 | ≥ 2.11.0, < 2.11.5 | ≥ 2.10.0, < 2.10.9 | ≥ 2.9.0, < 2.9.11 | < 0.0.0-20250813072957-aee95d4e2a41