CTFd 3.7.4
CTFd 3.7.4 has been released with a security fix for a vulnerability where an attacker could perform a Denial of Service against a CTFd instance.
CTFd v2.2.0 to v3.7.3 are affected.
We recommend all CTFd users update their instance to v3.7.4.
If your CTFd instance cannot be easily updated, we recommend using a plugin to restrict the size of email addresses submitted by untrusted users.
For example:
from flask import request, abort
def load(app):
store = app.view_functions["auth.register"]
def limit_email_length():
if len(request.form.get("email", "")) > 320:
abort(403, description="Please use a shorter email address")
return store()
app.view_functions["auth.register"] = limit_email_length
This file can be placed in CTFd/plugins/register_email_limit/__init__.py
.
v3.7.4 has already been deployed to Hosted CTFd customers. Self-hosted users can download the latest version of CTFd from Github.