Description
Summarize before 0.17.0 contains a resource exhaustion vulnerability that allows remote attackers to cause disk exhaustion by serving media responses that bypass the enforced size limit through missing or misreported Content-Length headers, chunked transfer encoding, or failed HEAD requests. Attackers who control a podcast feed or media URL can stream an unbounded response to local storage via the temp-file download path, exhausting disk or system resources on the host running the CLI.
Published: 2026-06-11
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Before version 0.17.0, the summarize CLI has a resource exhaustion flaw that enables remote attackers to exhaust disk space on the host running the tool. By providing a media URL that either lacks a Content-Length header, is served with chunked transfer encoding, or results in a failed HEAD request, the downloader can stream an unbounded file to the local temporary file path. This unbounded write flow burns the host’s available storage, leading to a denial‑of‑service state. The vulnerability does not directly expose confidential data, but it can render the system unusable.

Affected Systems

The steipete summarize project, versions prior to 0.17.0, including all releases before the 0.17.0 tag. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 5.3 classifies the weakness as moderate severity. EPSS information is not available, so the current exploitation probability is unknown. The vulnerability is not listed in CISA KEV. Attackers must control a podcast feed or media URL that the CLI consumes, a role that is typically remote. Once a malicious media source is provided, the exploit can occur without authentication and can exhaust disk resources on any system running the vulnerable CLI, potentially affecting single‑user or system‑wide availability. Proper exploitation therefore requires that the attacker can supply the media source; once that condition is met, the risk is considerable.

Generated by OpenCVE AI on June 11, 2026 at 22:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 0.17.0 or later to apply the vendor patch that removes the unbounded download behavior
  • If an upgrade cannot be performed immediately, reconfigure the summarizer to disable automatic media downloads or set an explicit maximum download size in its configuration
  • Implement disk‑usage monitoring and configure alerts before the temporary storage quota is reached; consider placing temporary downloads on a separate partition to isolate the effect of exhaustion

Generated by OpenCVE AI on June 11, 2026 at 22:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Steipete
Steipete summarize
Vendors & Products Steipete
Steipete summarize

Thu, 11 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description Summarize before 0.17.0 contains a resource exhaustion vulnerability that allows remote attackers to cause disk exhaustion by serving media responses that bypass the enforced size limit through missing or misreported Content-Length headers, chunked transfer encoding, or failed HEAD requests. Attackers who control a podcast feed or media URL can stream an unbounded response to local storage via the temp-file download path, exhausting disk or system resources on the host running the CLI.
Title Summarize < 0.17.0 Disk Exhaustion via Uncapped Media Download
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Steipete Summarize
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-11T19:11:49.211Z

Reserved: 2026-06-10T20:14:32.826Z

Link: CVE-2026-53781

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-11T20:16:25.637

Modified: 2026-06-11T20:50:49.480

Link: CVE-2026-53781

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T22:15:09Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling