Quill Unbounded HTTP Response Body Read Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Quill versions prior to 0.7.1. The issue arises from unbounded reads of HTTP response bodies during the Apple notarization process. While standard network conditions with proper TLS certificate validation prevent exploitation, environments with TLS-intercepting proxies, compromised certificate authorities, or other trust boundary violations are at risk. The vulnerability allows an attacker to modify API responses from Apple's notarization service, returning arbitrarily large payloads that can cause the Quill client to run out of memory and crash. This issue affects both the Quill CLI and library when used for notarization operations.

Impact

Exploitation of this vulnerability can lead to a crash of the Quill client due to excessive memory consumption, causing a denial-of-service condition.

Remediation

Users can upgrade to Quill version 0.7.1 to address this vulnerability.