Facebook Proxygen Unbounded Memory Growth Vulnerability in HTTP/QUIC Coroutine Session

A denial-of-service vulnerability has been identified in Facebook Proxygen versions v2025.08.25.00 through v2025.12.01.00. The issue arises when an HTTP request or response body exceeds 2^31 bytes, causing an infinite loop in the 'proxygen::coro::HTTPQuicCoroSession' component. This loop blocks the event loop and continuously adds data to a vector with each iteration, leading to unbounded memory growth and eventually causing the process to run out of memory.

Impact

Exploitation of this vulnerability causes the process to exhaust available memory, leading to a crash.

Reproduction

The vulnerability can be reproduced by sending an HTTP request or response body larger than 2^31 bytes. This can be done by using a tool or script that allows for the manipulation of HTTP request sizes, such as a custom HTTP client or a load testing tool. The oversized body should be sent to a server that uses Facebook Proxygen with QUIC support enabled, and the response can be monitored to observe the resulting memory consumption and process behavior.

Remediation

Users can update to the latest version of Facebook Proxygen, as this vulnerability has been addressed in the v2025.12.02.00 release.