Audiobookshelf Memory Exhaustion Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Audiobookshelf versions prior to 2.32.2. The issue arises in the POST /api/backups/upload endpoint, where the details entry of an uploaded .audiobookshelf ZIP file is decompressed entirely into memory without any size limit. This flaw allows an admin user to upload a ZIP file containing a highly compressed details entry that, when expanded, consumes excessive amounts of memory, leading to a server crash. The upload middleware also lacks a file size limit, exacerbating the problem.

Impact

Exploitation of this vulnerability causes the Audiobookshelf server process to crash due to out-of-memory conditions, disrupting service for all users. The attack can be repeated immediately after the server restarts, allowing for sustained denial-of-service. Additionally, the absence of an upload size limit on the backup upload endpoint enables the acceptance of very large compressed files.

Reproduction

To reproduce this vulnerability, an admin user can upload a crafted .audiobookshelf ZIP file via the POST /api/backups/upload endpoint. The ZIP file should contain a details entry that is highly compressed but expands to a large size when decompressed. The server's memory usage can be monitored before and after the upload to observe the impact. Uploading a ZIP file with a details entry that decompresses to over 200MB will cause the server process to run out of memory and crash.

Remediation

Users can update to Audiobookshelf version 2.32.2 or later, where this vulnerability has been fixed. Additionally, for those managing their own Audiobookshelf instances, it is recommended to configure a file size limit in the upload middleware to prevent the upload of excessively large files.