ninenines gun Unbounded HTTP Response Buffering Vulnerability Leading to Memory Exhaustion

A vulnerability in the gun_http module of ninenines gun, specifically in versions 1.0.0 prior to 2.4.0, allows a malicious server to exhaust client memory through unbounded HTTP/1.1 response buffering. The vulnerability arises because the module's response handling does not impose a limit on the size of the data buffered from incoming TCP streams. This flaw can be exploited by sending a partial response that never completes, causing the gun connection process to continuously append data to its buffer. As a result, a single malicious connection can lead to unbounded heap growth and a node-wide out-of-memory crash.

Impact

Exploitation of this vulnerability can cause a node-wide out-of-memory crash, as the unbounded memory growth from a single malicious connection exhausts all available memory on the node.

Reproduction

The vulnerability can be reproduced by establishing a connection using gun version 1.0.0 prior to 2.4.0 and sending a partial HTTP/1.1 response that omits the required header terminators. This can be done by initiating a response with 'HTTP/1.1 200 OK' followed by an unbounded stream of data, never including the ' ' terminator. The gun connection will accumulate the data in its buffer without limit, eventually causing memory exhaustion.

Remediation

Users can upgrade to gun version 2.4.0 or later, where this vulnerability has been fixed.