Cloudflare Workerd FormData API Integer Overflow Vulnerability Allowing Buffer Under-Read

A buffer under-read vulnerability has been identified in the FormData API of Cloudflare Workerd, prior to version v1.20230419.0. This vulnerability arises from an integer overflow issue that occurs when a FormData instance contains more than 2^31 elements. In such cases, the forEach() method may read from incorrect memory locations during iteration, potentially leading to a segmentation fault or arbitrary undefined behavior. Although this vulnerability was not exploitable on the Cloudflare Workers platform, it could theoretically be exploited on workerd deployments on machines with substantial memory. To exploit this vulnerability remotely, an attacker would need to upload a form-encoded HTTP request of several gigabytes, which would then be parsed and iterated over using request.formData() and formData.forEach().

Impact

Exploitation of this vulnerability could cause a buffer under-read, allowing for incorrect memory access. This could most likely result in a segmentation fault, but could also lead to arbitrary undefined behavior.

Remediation

Users are advised to update to Cloudflare Workerd version v1.20230419.0 or later.