CGA-gph4-p2pw-xq8x
Denial of Service vulnerability in netty-codec-http2 (Maven)
What is CGA-gph4-p2pw-xq8x About?
This Denial of Service vulnerability in 'handlebars' affects versions prior to 4.4.5, where specially-crafted templates can force the parser into an endless loop. This can lead to resource exhaustion and a denial of service for the application. Exploitation is relatively easy using malicious template input.
Affected Software
Technical Details
The vulnerability in handlebars versions prior to 4.4.5 is a Denial of Service (DoS) caused by an infinite loop within the package's parser. When processing specially-crafted templates, certain input patterns can trigger a condition where the parser repeatedly processes the same or a continuously expanding block of code without termination. This endless loop consumes excessive CPU cycles and memory, leading to the exhaustion of system resources. As a result, the application becomes unresponsive and unavailable to legitimate users, effectively causing a Denial of Service. The exact template structure that triggers this loop would depend on the parser's state machine and how it handles malformed or recursive constructs, often related to handlebars expressions or block helpers.
What is the Impact of CGA-gph4-p2pw-xq8x?
Successful exploitation may allow attackers to exhaust system resources, leading to a denial of service and making the application unavailable.
What is the Exploitability of CGA-gph4-p2pw-xq8x?
Exploitation of this Denial of Service vulnerability is of moderate complexity. It requires an attacker to submit a specially crafted template that will be parsed by the vulnerable handlebars version. This is typically a remote attack, as the attacker needs to provide the malicious template content. There are no specific authentication or privilege requirements beyond the ability to submit input that gets rendered as a handlebars template. The primary prerequisite is the construction of a template that triggers the parser's infinite loop condition. The likelihood of exploitation increases in applications that allow untrusted users to submit or modify template content, such as in user-generated content platforms or dynamic email generation services.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CGA-gph4-p2pw-xq8x?
About the Fix from Resolved Security
This patch introduces a configurable rate limit on the number of HTTP/2 RST_STREAM frames that can be processed per connection in a given time window, closing the connection if the limit is exceeded. This mitigates GHSA-xpw8-rcwv-8f8p by preventing attackers from flooding the server with RST_STREAM frames, which could otherwise lead to excessive CPU usage and denial of service.
Available Upgrade Options
- io.netty:netty-codec-http2
- <4.1.100.Final → Upgrade to 4.1.100.Final
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.cve.org/CVERecord?id=CVE-2023-44487
- https://github.com/netty/netty
- https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3
- https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p
- https://nvd.nist.gov/vuln/detail/CVE-2023-44487
- https://osv.dev/vulnerability/GHSA-xpw8-rcwv-8f8p
- https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
What are Similar Vulnerabilities to CGA-gph4-p2pw-xq8x?
Similar Vulnerabilities: CVE-2021-23389 , CVE-2022-38706 , CVE-2022-24999 , CVE-2023-38829 , CVE-2020-7798
