Abacus Server-Sent Events Goroutine Leak Vulnerability

A critical goroutine leak vulnerability exists in the Abacus counting API's Server-Sent Events (SSE) implementation, in versions prior to 1.4.0. The issue arises when clients disconnect from the '/stream' endpoint, as the server does not properly clean up resources or terminate associated goroutines. This oversight leads to resource exhaustion, causing the server to stop accepting new SSE connections while consuming excessive memory. The vulnerability stems from improper channel cleanup in the event handling process, leaving goroutines blocked indefinitely. In production environments, especially those with high traffic or frequent SSE connection cycles, this vulnerability can cause significant disruption.

Impact

Exploitation of this vulnerability causes a goroutine leak, where blocked goroutines accumulate and cannot be garbage collected. This leads to increased memory usage that stabilizes at a high level, causing the '/stream' endpoint to become unresponsive after prolonged use. While other API endpoints remain functional, the SSE connections are selectively denied, creating a bottleneck for applications relying on real-time updates.

Reproduction

The vulnerability can be reproduced by establishing a connection to the '/stream' endpoint and then disconnecting. This can be done using a tool like curl or Postman. After repeated disconnections, the '/stream' endpoint will stop accepting new connections, while the server's memory usage remains high.

Remediation

Users are advised to upgrade to Abacus version 1.4.0 or later. If an immediate upgrade is not possible, workarounds include limiting maximum connections through the reverse proxy, implementing request timeouts, scheduling regular service restarts, monitoring memory usage for abnormal patterns, and running a separate Abacus instance for SSE connections.