Elixir Mint PUSH_PROMISE Flooding Vulnerability Causes Unbounded Memory Consumption

A vulnerability in the Elixir Mint HTTP client, specifically in versions 0.2.0 prior to 1.9.0, allows attacker-controlled HTTP/2 servers to exhaust the client's memory. This is achieved by flooding the client with PUSH_PROMISE frames and withholding the corresponding response HEADERS, leading to a denial-of-service condition. The issue arises because the client does not properly enforce concurrency limits on promised streams, allowing a malicious server to pin an unbounded number of streams and cause the client process to run out of memory.

Impact

Exploitation of this vulnerability leads to a remote, unauthenticated denial-of-service condition, causing the client process to crash due to out-of-memory errors.

Reproduction

To reproduce this vulnerability, connect to an HTTP/2 server that sends a large number of PUSH_PROMISE frames without following up with the response HEADERS. Each PUSH_PROMISE frame will be acknowledged by the client, increasing the memory usage until the process runs out of resources and crashes.

Remediation

Users can upgrade to Mint version 1.9.0 or later, where this vulnerability has been fixed. Alternatively, HTTP/2 server push can be disabled on connections to untrusted servers by passing 'client_settings: [enable_push: false]' to 'Elixir.Mint.HTTP:connect/4'.