I (Jon Gaines) was testing an open source web application called Fossil SCM to help teach a friend of mine (Tyler Fryxell) one night a few months ago and discovered a Denial of Service (DoS).

I disclosed it to the developers and submitted a CVE assignment request!

It was approved!

Here is some information I will share about the vulnerability.

I discovered it on a Fossil instance running on a Windows machines with Windows Defender running as the anti-virus. It was a fresh install but completely up to date.

The problem is was when you submit a ticket with malicious strings (I used this whole text found HERE). Although you might be able to just use an EICAR string (found HERE) I’ll have to test that in the future.

Note that an anonymous user can create and submit this ticket. What happens is the application writes the ticket to a temporary file located at


This results in Windows Defender flagging the file and (the application attempting to write the ticket again to a temporary file over and over again) crashing the application, making it inaccessible.

I tested it against version 2.18.

More information can be found HERE

Stay tuned as I have a bunch more new CVEs incoming!

Leave a Reply