Benoitc Hackney WebSocket Client Unbounded Memory Consumption Vulnerability Allowing Denial-of-Service

A vulnerability in the WebSocket client of Benoitc Hackney, specifically in versions 2.0.0 prior to 4.0.1, allows for unbounded memory consumption, leading to denial-of-service. This issue arises from three code paths in the WebSocket client that lack proper limits on memory usage. First, the 'read_handshake_response/3' function can accumulate bytes into a buffer without a size cap, causing memory exhaustion if a server streams data without sending the required termination. Second, the 'parse_payload/9' and 'parse_active_payload/8' functions do not validate the declared frame payload length against any limits, allowing servers to exploit this by sending large frames that gradually consume memory. Third, the 'frag_buffer' in '#ws_data{}' can indefinitely accumulate continuation frames, leading to unbounded memory use. In all cases, the vulnerability can be exploited by controlling the WebSocket server the Hackney client connects to, without needing authentication or special client configuration.

Impact

Exploitation of this vulnerability causes unbounded memory consumption, leading to denial-of-service conditions where the process is killed by the BEAM runtime or crashes.

Reproduction

To reproduce this vulnerability, connect to a WebSocket server using the Hackney WebSocket client. The vulnerability can be triggered by: 1) Streaming bytes in the handshake response without sending the required CRLF termination, which causes the handshake response buffer to grow indefinitely. 2) Sending a large frame payload and slowly dribbling the bytes, which is possible because the payload length is not validated against any limits. 3) Sending an endless stream of non-final continuation frames, which will accumulate in the frag_buffer without bound.

Remediation

Users can update to Hackney version 4.0.1 or later, where this vulnerability has been fixed.