CVE-2025-49643 | THREATINT

Description

An authenticated Zabbix user (including Guest) is able to cause disproportionate CPU load on the webserver by sending specially crafted parameters to /imgstore.php, leading to potential denial of service.

PUBLISHED Reserved 2025-06-09 | Published 2025-12-01 | Updated 2025-12-01 | Assigner Zabbix

MEDIUM: 6.0CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-405: Asymmetric Resource Consumption (Amplification)

Product status

Default status

unknown

6.0.0 (git)

affected

7.0.0 (git)

affected

7.2.0 (git)

affected

7.4.0 (git)

affected

Credits

Zabbix wants to thank Pamparau Sebastian (sebiee) for submitting this report on the HackerOne bug bounty platform. reporter

References

support.zabbix.com/browse/ZBX-27284

cve.org (CVE-2025-49643)

nvd.nist.gov (CVE-2025-49643)

Download JSON