libcurl WebSocket Endless Loop Vulnerability

A denial-of-service vulnerability has been identified in libcurl's WebSocket implementation, specifically in versions 8.13.0 prior to 8.14.1. A malicious server can send a specially crafted packet that traps libcurl in an infinite busy loop. This loop can only be exited by terminating the thread or process, potentially causing a DoS condition in applications that use libcurl.

Impact

Exploitation of this vulnerability leads to an infinite loop in the application's WebSocket handling, causing high CPU usage and disrupting the application's normal operation.

Reproduction

The vulnerability can be reproduced by using a WebSocket client that sends messages to a server while the 'auto-pong' feature is enabled. The server must send a PING message that interferes with the client's message framing, causing the client to enter an endless loop. This can be achieved by using the libcurl WebSocket API with the 'CURLWS_OFFSET' flag, which allows the client to send partial messages. When the server sends a PING message during this process, the client gets stuck in a loop that can only be broken by killing the process.

Remediation

Users can upgrade to libcurl version 8.14.1 or later, or apply a patch that modifies the WebSocket sending function to prevent the infinite loop.