Bandit HTTP Server Infinite Loop Vulnerability in Chunked Trailer Processing

A denial-of-service vulnerability has been identified in the Bandit HTTP server, specifically in versions 1.6.1 prior to 1.11.1. This vulnerability allows unauthenticated remote attackers to exhaust worker processes by sending chunked HTTP requests that include trailer fields. The issue arises because the chunked transfer decoder enters an infinite loop, pinning the worker for the duration of the TCP connection. This flaw can render the server unresponsive to all traffic. The vulnerability affects any Bandit-fronted HTTP/1 service that accepts chunked request bodies, a default setting for Phoenix and Plug applications.

Impact

Exploitation of this vulnerability leads to a worker process exhaustion, causing the server to become unresponsive to all traffic. Each concurrent connection that is exploited consumes one worker process, further degrading the server's responsiveness.

Reproduction

The vulnerability can be reproduced by sending a chunked POST request to a Bandit server that includes a trailer field, such as 'X-Trailer: 1'. The request should be sent through a proxy that forwards trailer fields, like NGINX or HAProxy, to simulate a real-world scenario where the vulnerability could be exploited without direct client involvement.

Remediation

Users can upgrade to Bandit version 1.11.1 or later to address this vulnerability.