Undici HTTP Client Unbounded Decompression Chain Vulnerability Leading to Resource Exhaustion

A vulnerability in the Undici HTTP/1.1 client for Node.js allows for unbounded decompression of HTTP responses. This issue is present in versions prior to 7.18.0 and 6.23.0. The vulnerability arises because the default maximum header size permits a malicious server to introduce thousands of compression layers. This exploitation leads to high CPU usage and excessive memory allocation. The problem is fixed in Undici versions 7.18.2 and 6.23.0.

Impact

Exploitation of this vulnerability causes high CPU usage and excessive memory allocation, leading to resource exhaustion.

Reproduction

The vulnerability can be reproduced by sending an HTTP response with a 'Content-Encoding' header that includes a large number of encoding layers. This can be done by configuring a server to add multiple 'Content-Encoding' layers, which Undici will then process, causing the resource exhaustion.

Remediation

Users can upgrade to Undici versions 7.18.2 or 6.23.0 to address this vulnerability. Additionally, for those using an older version, it is possible to manually filter long 'Content-Encoding' sequences with an Undici interceptor.