Bandit WebSocket Permessage-Deflate Compression Memory Exhaustion Vulnerability Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in the Bandit library for Elixir, specifically in versions 0.5.9 prior to 1.11.0. When WebSocket permessage-deflate compression is enabled, an unauthenticated remote attacker can cause memory exhaustion by sending a single compressed frame. This frame, which can be as small as 6 MiB, decompresses to several gigabytes of data, leading to out-of-memory conditions on the server.

Impact

Exploitation of this vulnerability causes the BEAM (Erlang's virtual machine) to run out of memory, triggering an out-of-memory kill. This denial-of-service condition can be exacerbated by opening multiple concurrent connections.

Reproduction

To reproduce this vulnerability, deploy a Bandit server with WebSocket permessage-deflate compression enabled. This can be done by setting 'compress: true' in the WebSocket upgrade options. Once the server is running, open a WebSocket connection and send a compressed frame that exploits the lack of output-size limitation in the permessage-deflate implementation. This can be achieved by using a high-ratio compressed payload, such as one consisting of uniform data, which can be crafted to stay under wire-size limits while causing significant memory allocation on the server.

Remediation

The vulnerability has been patched in Bandit version 1.11.0. Users should upgrade to this version. For applications that cannot upgrade, the 'compress: true' option should not be passed to 'WebSockAdapter.upgrade/4', as this will prevent permessage-deflate from being negotiated and avoid the vulnerability.