Shelly Pro 4PM Allocation of Resources Without Limits Vulnerability Allowing Denial-of-Service

A vulnerability in the Shelly Pro 4PM smart relay, prior to version 1.6, allows for excessive resource allocation via the network, leading to unauthorized device reboots. This issue affects the device's remote-control interface, where oversized requests can disrupt normal operations by forcing the device to crash and restart. The vulnerability impacts 30 different API methods, creating a repeatable denial-of-service condition without requiring special privileges.

Impact

Exploitation of this vulnerability causes the device to reboot, disrupting control over connected circuits and causing outages that can affect automation routines and visibility into device status.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request to the 'KVS.List' method of the device's JSON-RPC API. The 'match' parameter should be populated with an excessively long string, which the server-side parser will process without proper bounds checking, leading to heap memory exhaustion and a device crash.

Remediation

Users are advised to update the Shelly Pro 4PM to version 1.6.0 or later, available through the local web interface or the Shelly Smart Control application.