CVE-2024-29025
Denial-of-Service (DoS) vulnerability in netty-codec-http (Maven)
What is CVE-2024-29025 About?
This vulnerability in Netty's `HttpPostRequestDecoder` allows an attacker to cause excessive data accumulation, leading to denial of service. The impact involves resource exhaustion and application unresponsiveness. Exploitation is relatively easy by sending crafted chunked POST requests.
Affected Software
Technical Details
The vulnerability in Netty's HttpPostRequestDecoder stems from two primary attack vectors, both leading to uncontrolled data accumulation and potential denial of service. Firstly, the decoder lacks limits on the number of fields a form can have. An attacker can exploit this by sending a chunked POST request consisting of a large number of very small fields. Each field, though small, is accumulated in the bodyListHttpData list, leading to significant memory consumption. Secondly, the undecodedChunk buffer, which accumulates bytes until a field can be fully decoded, also lacks size limits. An attacker can continuously send data that prevents a field from being fully decoded, causing this buffer to grow indefinitely. Both mechanisms lead to resource exhaustion (memory or CPU) in the server, resulting in a denial-of-service condition.
What is the Impact of CVE-2024-29025?
Successful exploitation may allow attackers to consume excessive memory or CPU resources, leading to application crashes or unresponsiveness, thus causing a denial of service for legitimate users.
What is the Exploitability of CVE-2024-29025?
Exploitation has a low complexity. It requires an attacker to send specially crafted HTTP POST requests to a Netty-based server utilizing the HttpPostRequestDecoder. No authentication or specific privileges are required for this attack, as it targets the processing of incoming requests regardless of user identity. The attack is remote, conducted by sending malicious HTTP traffic. The special conditions include the use of chunked encoding for POST requests and the application being built on Netty with the HttpPostRequestDecoder. Risk factors that increase exploitation likelihood include publicly exposed Netty HTTP servers that accept arbitrary POST forms and applications that don't implement strict input limits or timeouts for incoming HTTP requests.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-29025?
About the Fix from Resolved Security
This patch adds limits on the maximum number of form fields and the maximum size of buffered field data when decoding HTTP POST forms, raising specific exceptions if these limits are exceeded. This fixes CVE-2024-29025 by preventing attackers from launching DoS attacks through multipart or urlencoded form submissions with excessive fields or very large field data, which could otherwise consume excessive memory and CPU.
Available Upgrade Options
- io.netty:netty-codec-http
- <4.1.108.Final → Upgrade to 4.1.108.Final
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c
- https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v
- https://github.com/netty/netty
- https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
- https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html
- https://github.com/vietj/netty/tree/post-request-decoder
- https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c
- https://nvd.nist.gov/vuln/detail/CVE-2024-29025
- https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
- https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v
What are Similar Vulnerabilities to CVE-2024-29025?
Similar Vulnerabilities: CVE-2023-4586 , CVE-2023-34045 , CVE-2022-42004 , CVE-2021-39139 , CVE-2021-21391
