Netty Unbounded Memory Allocation Vulnerability in HTTP/3 QPACK Decoding

A vulnerability in Netty's HTTP/3 QPACK decoder prior to version 4.2.13.Final allows for unbounded memory allocation. When decoding header blocks, the decoder may create a byte array of a length specified by the compressed data without first verifying that the corresponding number of bytes is actually available. This flaw can be exploited by sending a small header that claims a large length, potentially leading to excessive memory usage and causing the server to slow down, stall, or crash.

Impact

Exploitation of this vulnerability can lead to significant server-side performance issues, including slowdowns, stalls, or crashes, especially under load when multiple crafted HTTP/3 headers are processed.

Reproduction

The vulnerability can be reproduced by sending an HTTP/3 HEADERS frame with a QPACK section that decodes to a very large non-Huffman name length. This can be done using a Java test that creates a QUIC server and client, with the server configured to handle HTTP/3 connections. The client can then send a crafted header that triggers the vulnerability by causing the server to allocate a large byte array, leading to an IndexOutOfBoundsException.

Remediation

Users should upgrade to Netty version 4.2.13.Final or later, where this vulnerability has been fixed.