mikecao/flight Denial-of-Service Vulnerability in Request Body Handling

A denial-of-service vulnerability has been identified in the mikecao/flight PHP framework, specifically in versions prior to 1.2. The issue arises from the Request class eagerly loading the entire request body for every HTTP request, regardless of whether the application requires it. This behavior can be exploited by sending requests with large payloads, leading to excessive memory usage and potentially causing the application to crash or become unavailable. The vulnerability was addressed in version 1.2 by implementing lazy loading of request bodies, allowing for more efficient memory management.

Impact

Exploitation of this vulnerability can cause significant memory consumption, potentially leading to application crashes or service unavailability.

Reproduction

To reproduce this vulnerability, initialize a new Composer project and install a vulnerable version of mikecao/flight (e.g., v1.1.10). Configure an nginx server to accept large request bodies and keep the default PHP-FPM settings. After starting the nginx and PHP-FPM services, confirm that the endpoint 'PUT /vulnerable' is accessible. Use a Python script to send 100 concurrent requests, each with a 100MB payload, while monitoring the server's memory and CPU usage.

Remediation

Users can upgrade to mikecao/flight version 1.2 or later, where this vulnerability has been fixed.