CTFd 3.7.4

Kevin Chung -

CTFd 3.7.4 has been released with a security fix for a vulnerability where an attacker could perform a Denial of Service against a CTFd instance.

CTFd v2.2.0 to v3.7.3 are affected.

We recommend all CTFd users update their instance to v3.7.4.

If your CTFd instance cannot be easily updated, we recommend using a plugin to restrict the size of email addresses submitted by untrusted users.

For example:

from flask import request, abort
def load(app):
    store = app.view_functions["auth.register"]
    def limit_email_length():
        if len(request.form.get("email", "")) > 320:
            abort(403, description="Please use a shorter email address")
        return store()
    app.view_functions["auth.register"] = limit_email_length

This file can be placed in CTFd/plugins/register_email_limit/__init__.py.

v3.7.4 has already been deployed to Hosted CTFd customers. Self-hosted users can download the latest version of CTFd from Github.