{"uuid": "c08b8e0e-fc62-4bc3-be77-968febbc6fd3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50882", "type": "seen", "source": "https://gist.github.com/pyuysig/e5b8c018b2d323b0b4ddffb9ebce9a80", "content": "# Vulnerability Report: CVE-2026-50882 - paste - Compressed paste content can expand beyond request limits\n\n## Vulnerability Summary\nanna-is-cute paste 0.1.1 contains a denial-of-service issue in compressed paste content deserialization. An unauthenticated remote attacker can submit gzip- or xz-compressed content to /api/v0/pastes that expands far beyond the JSON request limit during deserialization, leading to resource exhaustion.\n\n## Affected Product\n- **Vendor**: anna-is-cute\n- **Product**: paste\n- **Version**: 0.1.1\n- **Vulnerable Component**: POST /api/v0/pastes, webserver/src/models/paste/mod.rs gzip_base64_serde and xz_base64_serde, webserver/src/database/models/pastes.rs create_file\n\n## Vulnerability Details\n- **Vulnerability Type**: Resource Management Error\n- **Weakness**: CWE-400, CWE-770\n- **Attack Conditions**: POST /api/v0/pastes with crafted gzip_base64 or xz_base64 content that expands after deserialization.\n\n## Report Body\n\n### Summary\nanna-is-cute paste 0.1.1 contains a denial-of-service issue in compressed paste content deserialization. An unauthenticated remote attacker can submit gzip- or xz-compressed content to /api/v0/pastes that expands far beyond the JSON request limit during deserialization, leading to resource exhaustion.\n\n### Details\nCompressed paste fields are decoded and decompressed during model deserialization. The configured JSON request size limit applies to the compressed representation, not the expanded output.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50882.\n3. Confirm the security result: A small compressed JSON field expands to content far larger than the 1 MiB request limit and consumes server resources during paste creation.\n\n### Impact\nUnauthenticated remote denial of service through decompression-based memory or disk amplification.\n\n## Remediation\nApply maximum decompressed-size limits, stream decompression with bounds, and reject compressed content that exceeds configured paste size limits.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:51.000000Z"}