Shell In A Box 2.2.0 Denial Of Service

Shell In A Box versions 2.2.0 and below suffer from an infinite loop denial of service vulnerability.

MD5 | 07020adca6e97df6e795a45fee4ff700

Product: Shell In A Box (aka shellinabox, shellinaboxd)

"Shell In A Box implements a web server that can export arbitrary command
line tools to a web based terminal emulator. This emulator is accessible to
any JavaScript and CSS enabled web browser and does not require any
additional browser plugins. "
Most official-ish site:

Vulnerability description:

The multipart/form-data parser function in the built-in webserver of Shell
In A Box enters an infinite loop in case of malformed request payload, the
server stops serving new requests and the the process eats up 100% of CPU


curl -v --header "Content-type: multipart/form-data;
boundary=------------------------8d14c0216fd84557" -d "impeachment"

Affected Shell In A Box versions:
2.20 and below

Upgrade to 2.21
Package available in Debian sid:

Related Posts