Phoenix Framework Long-Poll NDJSON Body Handling Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Phoenix Framework, specifically in versions 1.7.0 prior to 1.7.22 and 1.8.0 prior to 1.8.6. The issue arises in the long-poll transport's handling of NDJSON bodies in POST requests. When a request with 'Content-Type: application/x-ndjson' is received, the body is split on newline characters without any limit on the number of segments. This allows an attacker to send a body filled with newline bytes, leading to a significant amplification effect—approximately one million empty binary elements for every megabyte of data sent. The vulnerability is exacerbated by the fact that the session token required to access the endpoint can be obtained through an unauthenticated GET request, making the attack effectively unauthenticated.

Impact

Exploitation of this vulnerability causes the BEAM memory and schedulers to be exhausted, crashing the node and terminating all active sessions. This denial-of-service effect can be triggered by a small number of concurrent requests.

Reproduction

To reproduce this vulnerability, send a POST request to a Phoenix server's long-poll endpoint with the 'Content-Type' set to 'application/x-ndjson'. The request body should consist entirely of newline characters. This can be done manually or automated with a script. Ensure that the request includes a valid session token, which can be obtained by sending an unauthenticated GET request to the same URL with a matching Origin header.

Remediation

Users can upgrade to Phoenix versions 1.7.22 or 1.8.6, where this vulnerability has been patched. Alternatively, the long-poll transport can be disabled on all Phoenix.Socket declarations by setting longpoll: false, though this will prevent connections from clients that cannot use WebSockets.