[MAVEN:GHSA-5JPM-X58V-624V] Netty's HttpPostRequestDecoder can OOM
Severity
Moderate
Affected Packages
1
Fixed Packages
1
CVEs
1
Summary
The HttpPostRequestDecoder
can be tricked to accumulate data. I have spotted currently two attack vectors
Details
- While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the
bodyListHttpData
list. - The decoder cumulates bytes in the
undecodedChunk
buffer until it can decode a field, this field can cumulate data without limits
PoC
Here is a Netty branch that provides a fix + tests : https://github.com/vietj/netty/tree/post-request-decoder
Here is a reproducer with Vert.x (which uses this decoder) https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
Impact
Any Netty based HTTP server that uses the HttpPostRequestDecoder
to decode a form.
Package | Affected Version |
---|---|
pkg:maven/io.netty/netty-codec-http | < 4.1.108.Final |
Package | Fixed Version |
---|---|
pkg:maven/io.netty/netty-codec-http | = 4.1.108.Final |
- ID
- MAVEN:GHSA-5JPM-X58V-624V
- Severity
- moderate
- URL
- https://github.com/advisories/GHSA-5jpm-x58v-624v
- Published
-
2024-03-25T19:40:50
(5 months ago) - Modified
-
2024-03-25T22:31:42
(5 months ago) - Rights
- Maven Security Team
- Other Advisories
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/io.netty/netty-codec-http | io.netty | netty-codec-http | < 4.1.108.Final | |||
Fixed | pkg:maven/io.netty/netty-codec-http | io.netty | netty-codec-http | = 4.1.108.Final |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |