CVE-2025-71377
Deferred
Deferred - Pending Action
Resource Exhaustion in StoaChat Delta via Message Limit Bypass
Vulnerability report for CVE-2025-71377, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-16
Last updated on: 2026-07-16
Assigner: VulnCheck
Description
Description
stoatchat (delta) versions before 20250210-1 (0.8.2) contain a logic error in the query messages route. When fetching messages 'nearby' another message, the database query can be given a message limit of zero, which the database interprets as 'no limit'. A remote unauthenticated attacker can craft nearby message fetch requests to download an entire channel's message history in a single expensive request, and can send many such requests in parallel, resulting in denial of service through resource exhaustion.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| stoatchat | stoatchat | to 20250210-1 (exc) |
| stoatchat | stoatchat | to 20241227-2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1025 | The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses. |