Redlib Denial-of-Service Vulnerability via DEFLATE Decompression Bomb
Vulnerability
A denial-of-service vulnerability has been identified in Redlib, an alternative private front-end to Reddit. The issue arises in versions prior to 0.35.1, where an attacker can submit a specially crafted base2048-encoded DEFLATE decompression bomb to the restore_preferences form. This exploitation leads to excessive memory consumption and potential system instability, disrupting Redlib instances. The vulnerability was introduced in version 0.35.0 and has been fixed in version 0.36.0.
Impact
Exploitation of this vulnerability causes high memory usage, leading to out-of-memory conditions and exhaustion of operating system resources. This can cause system instability or crashes, disrupting any public Redlib instance.
Reproduction
To reproduce this vulnerability, send a POST request to the '/settings/encoded-restore' endpoint with a base2048-encoded DEFLATE compression bomb as the 'encoded_prefs' parameter. The server will automatically decompress the payload, causing excessive memory usage and potential system instability.
Remediation
Users should upgrade to Redlib version 0.36.0, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.