Return
LBL logo

Invalid Calendar Date Leads to Denial-of-Service (DoS)

Lawrence Berkeley National Laboratory (LBNL)

January 2026 · Vulnerability Disclosure Program

This write-up details my purely accidental discovery of a vulnerability that could lead to a denial-of-service (DoS) condition due to an invalid calendar date.

I came across the following web page during one of my reconnaissance activities:

LBNL BUDS Homepage

When I clicked on the "Current" button, it updated the page to include a date parameter as seen in the URL below:

LBNL Current Date

Immediately, I thought of testing the date parameter for XSS or at least HTML injection. However, I received the following error.

LBNL HTTP 500 Error

Then a random idea came to mind. What if the software only expects valid dates? What will happen if I input an invalid date?

I tried inputting "0000-00-00" as the date parameter, which is an invalid date. To my surprise, the server responded with a HTTP 502 Bad Gateway response, indicating a potential denial-of-service (DoS) vulnerability. I immediately panicked and stopped my testing, because I remembered that DoS is prohibited in responsible disclosure programs.

I was not sure if this behavior was purely dependent on the current session, so I tested with a VPN access to change my IP address, and tested in an incognito window to confirm the behavior. I opened the target URL and it still showed HTTP 502 Bad Gateway.

After a lengthy discussion with Gemini, I decided to report the issue responsibly, because this is considered application level DoS, not network level DoS which is prohibited. I suspected that this is an input validation or backend-error handling issue related to unexpected date values. A possible mitigation could involve implementing proper input validation and graceful error handling for date parameters.

Email reply from Jay at LBNL

Jay replied promptly, acknowledging the issue and thanking me for my responsible disclosure. However, this time my name was not listed in the White Hats for Science Kudos section, probably because they forgot to add it. Despite this, I think it is alright, considering I have already received multiple acknowledgments in the past.

See you in the next hack.

— @aaronamran

January 2026