CVE-2021-37253: 
M-Files Online vulnerability analysis and mitigation

M-Files Web before 20.10.9524.1 allows a denial of service vulnerability via overlapping ranges in HTTP requests with crafted Range or Request-Range headers. This vulnerability was discovered in December 2021 and is tracked as CVE-2021-37253. The vulnerability is disputed because the range behavior is considered the responsibility of the web server, not the individual web application (NVD, Full Disclosure).

The vulnerability allows remote unauthenticated attackers to send crafted requests with overlapping ranges via HTTP requests with specially-crafted Range or Request-Range headers. This causes the web application to compress each of the requested bytes, resulting in excessive memory and CPU consumption. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) and CVSS v2.0 score of 7.8 (HIGH), indicating significant impact on system availability (Full Disclosure, Vulmon).

When successfully exploited, the vulnerability can cause the web application to crash due to excessive memory and CPU consumption, preventing legitimate users from accessing the system. The attack primarily affects system availability, with no direct impact on confidentiality or integrity of the system (Full Disclosure).

While there is no official patch from the vendor, recommended mitigations include restricting IP addresses for incoming web application requests/clients or reconfiguring the web server for 'Byte-range Request Segment Size'. The vendor has acknowledged the vulnerability but has indicated that no effort will be given to fixing it (Full Disclosure).