Tandoor Recipes Denial-of-Service Vulnerability in Recipe Import Functionality

A critical denial-of-service vulnerability has been identified in Tandoor Recipes versions prior to 2.6.5. The issue arises in the recipe import feature, where an authenticated user can upload a large ZIP file, known as a ZIP bomb, to crash the server or significantly degrade its performance. The vulnerability exists because the application does not validate the uncompressed size of files before extracting them, allowing a small compressed file to expand into a large payload that consumes excessive memory and resources.

Impact

Exploitation of this vulnerability leads to a complete denial-of-service condition. The application's process is terminated by the operating system's Out-of-Memory (OOM) Killer, or the server becomes unresponsive due to excessive swapping, affecting all users. The vulnerability also involves unrestricted file uploads, as the file size is not checked, and the impact can vary depending on the server environment.

Reproduction

To reproduce this vulnerability, upload a ZIP file containing a large payload, such as a 20GB ZIP bomb, through the recipe import feature in the application. The server will attempt to extract the file into memory, causing a significant spike in memory usage and potentially leading to an OOM kill or unresponsiveness.

Remediation

Users are advised to update to Tandoor Recipes version 2.6.5 or later, where this vulnerability has been fixed.