rs CORS Middleware Denial-of-Service Vulnerability via Malicious Preflight Requests

A denial-of-service vulnerability has been identified in the rs CORS middleware, specifically in versions 1.9.0 prior to 1.11.0. The issue arises when the middleware processes preflight requests that include an Access-Control-Request-Headers (ACRH) header with a value containing numerous commas. This processing leads to excessive heap allocations and can cause significant load on the server, potentially exhausting available memory and causing the server to crash. The vulnerability is particularly concerning because it can be exploited without authentication, and while many Web Application Firewalls (WAFs) might block such malicious requests, not all servers are protected by a WAF.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, causing the server to become unresponsive or to crash entirely. This has been observed in local tests where a Docker container running the affected middleware ran out of memory and terminated.

Reproduction

The vulnerability can be reproduced by sending a preflight request (HTTP OPTIONS method) to a server using the rs CORS middleware. The request must include an ACRH header populated with a large number of commas. This can be automated with a script that generates the required header format.

Remediation

Users can update to rs CORS version 1.11.0 or later, where this vulnerability has been fixed.