GHSA-v25j-wqcw-fvhj: wger has an Uncontrolled Resource Consumption issue

May 13, 2026

Any authenticated user can create a routine spanning an arbitrarily long date range (e.g. 100 years) and then trigger the date_sequence computation via any of the routine detail endpoints. The server iterates once per day in an unbounded while loop with no maximum duration validation, causing a single HTTP request to consume multiple seconds of server CPU and return a response containing tens of thousands of entries. Repeated requests can exhaust all worker threads and deny service to other users.

References

github.com/advisories/GHSA-v25j-wqcw-fvhj
github.com/wger-project/wger/commit/5f07a4473e2c32d298c8cdd31d78e5107840039c
github.com/wger-project/wger/security/advisories/GHSA-v25j-wqcw-fvhj

Code Behaviors & Features

Detect and mitigate GHSA-v25j-wqcw-fvhj with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →