Bugsink Brotli Decompression Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Bugsink, a self-hosted error tracking tool, in versions prior to 2.0.5. The issue arises from the handling of highly compressed Brotli streams, referred to as Brotli 'bombs', which can be sent to the server. These streams, often containing large amounts of repeated data, are decompressed by the server without proper safeguards, leading to excessive memory consumption and potential exhaustion of available resources. This vulnerability can be exploited if the Data Source Name (DSN) is known, which is common in many setups, including JavaScript and mobile applications.

Impact

Exploitation of this vulnerability can cause significant memory exhaustion, leading to a denial-of-service condition where the application becomes unresponsive or fails to function properly.

Reproduction

The vulnerability can be reproduced by sending a crafted Brotli stream, such as one filled with zeros, to a Bugsink server instance running a vulnerable version. This can be done through the application's error reporting mechanism, particularly in environments where the DSN is exposed, like in JavaScript or mobile apps.

Remediation

Users can upgrade to Bugsink version 2.0.5 or later, where this vulnerability has been patched.