The HttpPostRequestDecoder can be tricked to accumulate data. I have spotted currently two attack vectors
Details
While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.
The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, this field can cumulate data without limits
This PR contains the following updates:
4.1.101.Final
->4.1.108.Final
GitHub Vulnerability Alerts
CVE-2024-29025
Summary
The
HttpPostRequestDecoder
can be tricked to accumulate data. I have spotted currently two attack vectorsDetails
bodyListHttpData
list.undecodedChunk
buffer until it can decode a field, this field can cumulate data without limitsPoC
Here is a Netty branch that provides a fix + tests : https://github.com/vietj/netty/tree/post-request-decoder
Here is a reproducer with Vert.x (which uses this decoder) https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
Impact
Any Netty based HTTP server that uses the
HttpPostRequestDecoder
to decode a form.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.