OpenStack Horizon Unauthenticated Session Flood Vulnerability Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in OpenStack Horizon versions 25.6.0 prior to 25.7.3. This issue arises because the login view stores post-login redirect URLs in the server-side session before user authentication. Each unauthenticated request without a session cookie generates a new persistent session entry, allowing an attacker to exhaust the session storage backend (such as Memcached, Redis, or a database) by repeatedly sending requests to the login page with a 'next' parameter. As the backend storage reaches capacity, legitimate session entries are evicted, logging out active users, including administrators, and disrupting access to the Horizon dashboard. This vulnerability is a regression of a previous issue addressed in CVE-2014-8124.

Impact

Exploitation of this vulnerability leads to uncontrolled resource exhaustion in the session storage backend, causing a denial-of-service condition for the Horizon dashboard. In Memcached deployments, the memory limit is reached quickly, evicting active sessions and logging out users. In database-backed deployments, this could exhaust SQL connections, impacting other OpenStack components that share the same database cluster.

Reproduction

To reproduce this vulnerability, send multiple unauthenticated GET requests to the '/auth/login/' endpoint, including a 'next' parameter. Each request without an existing session cookie will create a new session entry in the backend. This can be done manually or automated with a script. After sending the requests, check the session storage backend to confirm that new session entries have been created. This vulnerability can be exploited rapidly, especially with multi-threaded attacks.

Remediation

Users can update to OpenStack Horizon versions 25.7.3 or later, where this vulnerability has been fixed.