Menu
Article

CTFd 3.7.4

Kevin Chung

Kevin Chung

• 1 min read

CTFd 3.7.4 has been released with a security fix for a vulnerability where an attacker could perform a Denial of Service against a CTFd instance.

CTFd v2.2.0 to v3.7.3 are affected.

We recommend all CTFd users update their instance to v3.7.4.

If your CTFd instance cannot be easily updated, we recommend using a plugin to restrict the size of email addresses submitted by untrusted users.

For example:

from flask import request, abort
def load(app):
    store = app.view_functions["auth.register"]
    def limit_email_length():
        if len(request.form.get("email", "")) > 320:
            abort(403, description="Please use a shorter email address")
        return store()
    app.view_functions["auth.register"] = limit_email_length

This file can be placed in CTFd/plugins/register_email_limit/__init__.py.

v3.7.4 has already been deployed to Hosted CTFd customers. Self-hosted users can download the latest version of CTFd from Github.

Share
Show Comments

Topics

release: 4 News: 1 security: 1 oss: 1 tourist: 1