GHSA-7xp7-m392-h92c: @evomap/evolver has an unbounded request body in proxy /asset/submit that causes persistent disk-exhaustion DoS

May 5, 2026

The EvoMap proxy daemon’s HTTP body parser accepts requests of any size, and the POST /asset/submit route persists the full request body — verbatim and uncapped — as a JSONL line in <dataDir>/messages.jsonl. An unauthenticated local attacker (other local user, container neighbor, or malicious npm postinstall script running on the same host) can repeatedly POST large bodies to fill the disk. On restart, the daemon synchronously reads the entire file via fs.readFileSync, making the OOM/crash persistent.

References

github.com/EvoMap/evolver
github.com/EvoMap/evolver/security/advisories/GHSA-7xp7-m392-h92c
github.com/advisories/GHSA-7xp7-m392-h92c

Code Behaviors & Features

Detect and mitigate GHSA-7xp7-m392-h92c with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →