Benoitc Hackney Uncontrolled Resource Consumption Vulnerability in HTTP/3 Response Handling

A vulnerability in the Benoitc Hackney HTTP client library, specifically in versions 2.0.0 prior to 4.0.1, allows for unbounded accumulation of HTTP/3 response data in memory. This flaw arises in the 'hackney_h3:await_response_loop/6' function, where the response body is collected without any size limit. The issue can be exploited by a malicious HTTP/3 server that sends small data chunks at intervals just before the timeout expires, effectively keeping the connection alive indefinitely. As a result, the memory buffer grows uncontrollably, leading to exhaustion of the BEAM process heap and causing an out-of-memory error.

Impact

Exploitation of this vulnerability causes a remote denial-of-service condition by consuming memory without limit, eventually leading to process termination when the maximum heap size is reached or triggering the operating system's out-of-memory killer.

Reproduction

To reproduce this vulnerability, use an affected version of the Hackney library with the HTTP/3 transport enabled. This can be done by calling 'hackney_h3' directly or by passing '{transport, h3}' to 'hackney:request/5'. Then, send a request to a malicious HTTP/3 server that responds with '200 OK' and drips small data chunks just before the timeout expires, keeping the response loop active while the memory usage grows.

Remediation

Users can upgrade to Hackney version 4.0.1 or later, where this vulnerability has been fixed.