漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Next AI Draw.io: Unbounded HTTP Body — Denial of Service
Vulnerability Description
Next AI Draw.io is a next.js web application that integrates AI capabilities with draw.io diagrams. Prior to 0.4.15, the embedded HTTP sidecar contains three POST handlers (/api/state, /api/restore, and /api/history-svg) that process incoming requests by accumulating the entire request body into a JavaScript string without any size limitations. Node.js buffers the entire payload in the V8 heap. Sending a sufficiently large body (e.g., 500 MiB or more) will exhaust the process heap memory, leading to an Out-of-Memory (OOM) error that crashes the MCP server. This vulnerability is fixed in 0.4.15.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
不加限制或调节的资源分配
Vulnerability Title
Next AI Draw.io 安全漏洞
Vulnerability Description
Next AI Draw.io是Dayuan Jiang个人开发者的一个AI驱动的在线图表绘制工具。 Next AI Draw.io 0.4.15之前版本存在安全漏洞,该漏洞源于处理请求时无大小限制,可能导致耗尽堆内存并造成内存不足错误,使MCP服务器崩溃。
CVSS Information
N/A
Vulnerability Type
N/A