CVE-2025-71377
Deferred Deferred - Pending Action

Resource Exhaustion in StoaChat Delta via Message Limit Bypass

Vulnerability report for CVE-2025-71377, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: VulnCheck

Description

stoatchat (delta) versions before 20250210-1 (0.8.2) contain a logic error in the query messages route. When fetching messages 'nearby' another message, the database query can be given a message limit of zero, which the database interprets as 'no limit'. A remote unauthenticated attacker can craft nearby message fetch requests to download an entire channel's message history in a single expensive request, and can send many such requests in parallel, resulting in denial of service through resource exhaustion.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
stoatchat stoatchat to 20250210-1 (exc)
stoatchat stoatchat to 20241227-2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1025 The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is in stoa-chat (delta) versions before 20250210-1 (0.8.2). It involves a logic error in the query messages route where fetching messages nearby another message can set a message limit of zero. The database interprets zero as no limit, allowing an attacker to download an entire channel's message history in one request. Multiple such requests can cause denial of service by exhausting server resources.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high database query loads or excessive message fetch requests. Check for requests with a 'nearby' parameter that may bypass normal limits. Inspect server logs for patterns of large data downloads from single requests.

Impact Analysis

An attacker could exploit this to overload your server by repeatedly downloading large amounts of message data, causing slowdowns or crashes. This disrupts normal operations and may lead to downtime for your chat service.

Compliance Impact

This vulnerability primarily impacts system availability by allowing denial of service through resource exhaustion. While it does not directly expose or leak data, the resource exhaustion could lead to service disruptions that may affect compliance with availability requirements in standards like GDPR (Article 32) and HIPAA (Security Rule). However, the vulnerability itself does not directly violate data protection requirements unless it results in prolonged unavailability of critical systems handling personal or health data.

Mitigation Strategies

Upgrade stoatchat (delta) to version 20250210-1 (0.8.2) or later. Implement rate limiting on message fetch endpoints. Configure database query limits to enforce maximum results per request. Block or monitor for requests with zero or unusually high limits.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71377. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart