Matrix Media Repo Denial-of-Service Vulnerability via Memory Exhaustion

A denial-of-service vulnerability has been identified in Matrix Media Repo (MMR) versions prior to 1.3.8. This issue arises because MMR can parse large amounts of JSON data returned from other servers, leading to excessive memory consumption and exhaustion of available resources. The vulnerability can be exploited during normal operation when MMR processes requests to resource owners that return substantial JSON payloads.

Impact

Exploitation of this vulnerability can cause memory exhaustion, leading to a denial-of-service condition where the application becomes unresponsive or unavailable.

Remediation

Users are advised to upgrade to Matrix Media Repo version 1.3.8. For those unable to upgrade, forward proxies can be configured to block requests to unsafe hosts. Additionally, MMR processes can be set with memory limits and configured to auto-restart. Running multiple MMR processes concurrently can also help mitigate the impact of a restart on users.