JFrog Security Research
< Back

XRAY-526161 - OkHttp client Brotli DoS

CVE-2023-3782 | CVSS 5.9

JFrog Severity:medium

Discovered ByOmer Kaspiof the JFrog Security Research Team

Published 19 Jul, 2023 | Last updated 19 Jul, 2023

DoS of the OkHttp client when using a BrotliInterceptor and surfing to a malicious web server, or when an attacker can perform MitM to inject a Brotli zip-bomb into an HTTP response

com.squareup.okhttp3:okhttp-brotli

(,)

A DoS issue lies in the intercept() function, if the user added BrotliInterceptor as an interceptor and does not add content encoding, the okhttp client will add the http header for Brotli encoding and will automatically try to decompress responses. The code does not guard against decompression bombs, which could crash the process due to memory exhaustion. With Brotli a file that weight several KBs can be decompressed into 10GB.

The following client code will crash when surfing to an HTTP server that serves a Brotli zip bomb -

import okhttp3.Call;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import okhttp3.brotli.BrotliInterceptor;
import java.io.IOException;
public class JavassistIntTruncationExample
{
public static void main(String argv[]) throws IOException {
    OkHttpClient client = new OkHttpClient.Builder()
            .addInterceptor(BrotliInterceptor.INSTANCE)
            .build();
    Request request = new Request.Builder()
            .url("http://127.0.0.1:8080")
            .build();
    Call call = client.newCall(request);
    Response response = call.execute();
    System.out.println(response.body().bytes().length);
}
}

Remove any usage of the BrotliInterceptor class. If Brotli functionality is needed, a fixed version of the class can be found here

https://github.com/square/okhttp/issues/7738

< Back