CVE-2024-3508 identifies an uncontrolled resource consumption vulnerability in Bombastic, a tool that accepts compressed Software Bill of Materials (SBOM) uploads in bzip2 or zstd formats. The vulnerability arises because the API endpoint responsible for verifying the presence of certain JSON fields first decompresses the uploaded file without adequate resource usage controls. Authenticated users can exploit this by uploading specially crafted compressed files that, when decompressed, consume excessive CPU and memory resources, potentially leading to denial of service (DoS) conditions. The flaw is categorized under CWE-434, which involves unrestricted file uploads that can cause harmful effects. The CVSS v3.1 score is 4.3 (medium), reflecting that the attack vector is network-based, requires low complexity, and privileges (authenticated user), but no user interaction is needed. The impact is limited to availability degradation, with no confidentiality or integrity compromise. No patches or known exploits have been reported yet. This vulnerability highlights the risk of insufficient input validation and resource management in file upload and processing functionalities, especially when dealing with compressed data formats that can expand significantly upon decompression.

The primary impact of CVE-2024-3508 is on the availability of Bombastic services. By exploiting this vulnerability, an authenticated attacker can cause excessive resource consumption during the decompression of uploaded SBOM files, potentially leading to denial of service. This can disrupt software supply chain management processes, delay vulnerability assessments, and impact development pipelines relying on Bombastic. While confidentiality and integrity are not directly affected, the availability impact can have cascading effects on organizational security posture and operational continuity. Organizations with high reliance on automated SBOM processing may experience significant operational disruptions. The requirement for authentication limits the attack surface but does not eliminate risk, especially in environments with many users or weak access controls.

To mitigate CVE-2024-3508, organizations should implement strict controls on the size and type of uploaded SBOM files, including enforcing maximum file size limits before decompression. Resource limits (CPU, memory, and timeouts) should be applied to the decompression process to prevent excessive consumption. Input validation should be enhanced to detect and reject suspicious or malformed compressed files early. Monitoring and alerting on unusual resource usage patterns during file uploads can help detect exploitation attempts. Access controls should be tightened to restrict upload capabilities to trusted users only. If possible, sandboxing the decompression process or offloading it to isolated environments can reduce the risk of service disruption. Regularly updating Bombastic and applying vendor patches once available is critical. Additionally, organizations should review their incident response plans to address potential denial of service scenarios related to this vulnerability.