Matrix Media Repo Unbounded Disk Consumption Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Matrix Media Repo (MMR) versions prior to 1.3.5. This issue allows an unauthenticated attacker to cause excessive disk usage by inducing the application to download and store large quantities of remote media files. The vulnerability primarily affects instances using a file-backed storage option or those that self-host an S3 storage system, leading to a disk fill attack. When the disk becomes full, authenticated users are unable to upload new media, causing a denial-of-service condition. In cases where cloud-based S3 storage is used, the vulnerability could result in significant service charges instead of a denial-of-service impact.

Impact

Exploitation of this vulnerability leads to unbounded disk consumption, causing the disk to fill up. Once full, authenticated users cannot upload new media, resulting in a denial-of-service condition. For instances using cloud-based S3 storage, this vulnerability could incur high service fees instead of causing a denial-of-service.

Remediation

Users can update to MMR version 1.3.5 or later, which introduces a default-on 'leaky bucket' rate limit to reduce the amount of data an unauthenticated user can request at one time. However, this update requires the IP address associated with the request to be forwarded to avoid incorrectly applying the rate limit to the reverse proxy. For those unable to update, it is advisable to lower the maximum file size allowed and implement strict rate limits, although this may still result in a large volume of data being downloaded.