Netty HttpContentDecompressor and DelegatingDecompressorFrameListener Unbounded Memory Allocation Vulnerability via Brotli, Zstd, or Snappy Encoding

A denial-of-service vulnerability has been identified in Netty's HttpContentDecompressor and DelegatingDecompressorFrameListener components, prior to versions 4.2.13.Final and 4.1.133.Final. These components, responsible for decompressing HTTP content, accept a maxAllocation parameter to limit buffer sizes and prevent decompression bomb attacks. While this limit is enforced for gzip and deflate encodings, it is ignored for Brotli, zstd, and snappy. As a result, an attacker can bypass the decompression limit by using Brotli encoding, leading to unbounded memory allocation and out-of-memory conditions on the server.

Impact

Exploitation of this vulnerability causes out-of-memory conditions, leading to denial-of-service on the affected server. Additionally, it creates a false sense of security, as developers may believe they are protected against decompression bombs when using Brotli, zstd, or snappy encodings.

Reproduction

To reproduce this vulnerability, configure a Netty HTTP server with decompression bomb protection by setting a maxAllocation limit. Then, send a Brotli-compressed payload that exceeds the allocated memory limit. The server will experience an out-of-memory condition as the decompressed data is streamed into memory without any constraints.

Remediation

Users can upgrade to Netty versions 4.2.13.Final or 4.1.133.Final, where this vulnerability has been fixed.