DoS Vulnerability was discovered in io.vavr:vavr:0.10.4

vavr-io / vavr

vʌvr (formerly called Javaslang) is a non-commercial, non-profit object-functional library that runs with Java 8+. It aims to reduce the lines of code and increase code quality.

https://vavr.io

Other

5.68k stars 631 forks source link

DoS Vulnerability was discovered in io.vavr:vavr:0.10.4 #2753

Open Alex111998 opened 10 months ago

Alex111998 commented 10 months ago

Summary

A denial of service vulnerability in vavr was discovered by CIFuzz. A bug in method CharSeq.repeat(char, int) means that an input of modest size can lead to indefinite amounts of memory being used. Can recurrent it like follows code.

POC

pom

<dependency>
        <groupId>io.vavr</groupId>
        <artifactId>vavr</artifactId>
        <version>0.10.4</version>
</dependency>

code

public static void main(String[] args) {
        CharSeq.repeat('a', 762526009);
}

Attack

chaotic3quilibrium commented 9 months ago

I don't understand how this is a DoS vulnerability?

What is the suggested remediation? Perhaps that would better explain how it is a DoS.