ninenines cowlib Improper Handling of Compressed Data Vulnerability Leading to Remote Denial-of-Service

A denial-of-service vulnerability has been identified in ninenines cowlib, specifically in versions 0.1.0 prior to 2.16.1. This vulnerability arises from improper handling of highly compressed data, allowing unauthenticated remote attackers to exhaust memory resources. The issue occurs in the cow_spdy:inflate/2 function, where compressed bytes from the peer are passed directly to zlib:inflate/2 without any output size limitation. Given that the SPDY header compression dictionary is public, zlib can compress long sequences of repeated bytes at approximately a 1024:1 ratio. As a result, a few kilobytes of SPDY frame payload can expand to gigabytes in the BEAM heap, causing an out-of-memory condition that terminates the node. The vulnerability can be triggered by a single unauthenticated SPDY frame, affecting the parsers for syn_stream, syn_reply, and headers frame types through cow_spdy:parse_headers/2.

Impact

Exploitation of this vulnerability leads to memory exhaustion, causing the Erlang node to run out of memory and terminate.

Remediation

Users are advised to upgrade to cowlib version 2.16.1 or later, as the cow_spdy module has been removed entirely in this version. No patched version of cow_spdy will be provided. Additionally, consider migrating away from SPDY, which has been deprecated since 2015 in favor of HTTP/2.