mtrudel Bandit HTTP/1 Chunked Body Reader Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the mtrudel Bandit library, specifically in versions 1.4.0 prior to 1.11.1. This vulnerability allows unauthenticated remote attackers to exhaust server memory, leading to a crash. The issue arises because the HTTP/1 chunked body reader ignores the specified length limit and buffers entire request bodies into memory as a single binary. This flaw can be exploited by sending a large chunked POST request to any endpoint, causing the server to run out of memory and be terminated by the operating system's out-of-memory killer.

Impact

Exploitation of this vulnerability causes the server to run out of memory and crash, disrupting service. This issue affects any Bandit application that handles request bodies, which is common in Phoenix applications due to the default middleware configuration.

Reproduction

To reproduce this vulnerability, send a chunked POST request with a large body to a Bandit server running a Phoenix application. The request should include the 'Transfer-Encoding: chunked' header, which will be processed by the vulnerable chunked body reader. Monitor the server's memory usage, which will increase until the operating system's out-of-memory killer terminates the process.

Remediation

Users can upgrade to Bandit version 1.11.1 or later, where this vulnerability has been fixed.