Open Feature flagd Memory Exhaustion Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in flagd, a feature flag daemon, in versions prior to 0.14.2. The issue arises because flagd's OFREP and gRPC endpoints for feature flag evaluation do not impose any size restrictions on the evaluation context included in request payloads. This lack of restriction allows an attacker to send a single HTTP request with an excessively large body, causing flagd to allocate a corresponding amount of memory. The result is immediate memory exhaustion and process termination, such as an OOMKill in Kubernetes environments. Additionally, flagd's evaluation endpoints do not natively enforce authentication, leaving them vulnerable to exploitation unless protected by an external reverse proxy or similar infrastructure.

Impact

Exploitation of this vulnerability leads to memory exhaustion, causing the flagd process to crash. This disruption affects all applications relying on the impacted flagd instance for feature flag evaluations, causing a loss of access until the process is restarted. Furthermore, an attacker could repeatedly send oversized requests to maintain the disruption.

Reproduction

The vulnerability can be reproduced by sending an HTTP POST request to one of the vulnerable OFREP or gRPC evaluation endpoints, such as '/ofrep/v1/evaluate/flags/myFlag'. The request must include a JSON payload in the body that exceeds the maximum size limit, which can be set to 0 to disable the default restriction of 1 MiB. This can be done using a tool like curl or Postman, or by writing a script that sends the oversized request. Once the request is sent, flagd will allocate memory to process the payload, leading to memory exhaustion and causing the flagd process to terminate.

Remediation

Users can upgrade to flagd version 0.14.2 or later, where this vulnerability has been fixed. Instructions for updating can be found in the flagd repository on GitHub.