wojtekmach Req Decompression Bomb Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the wojtekmach Req HTTP client for Elixir, versions 0.1.0 prior to 0.6.1. This vulnerability arises from improper handling of highly compressed data, allowing attacker-controlled HTTP servers to exhaust memory in a Req client. The issue is triggered by decompression-bomb response bodies, which expand significantly in size and can crash the BEAM process.

Impact

Exploitation of this vulnerability leads to memory exhaustion, causing the Elixir application to crash. This disruption can take down unrelated workloads on the same virtual machine, as the BEAM process runs all Elixir code for a given application.

Reproduction

To reproduce this vulnerability, send a response from an HTTP server that includes a small zip file (a few hundred kilobytes when compressed) containing a single entry of approximately 400 megabytes of zero bytes. The response should be sent with a status code of 200 and a content-type of application/zip. Then, use the Req HTTP client to make a request to this server without any special options. The 'decode_body/1' step will automatically extract the zip file in memory, causing a significant increase in memory usage that can lead to a crash.

Remediation

Users can disable automatic body decoding by passing 'decode_body: false' to 'Req.new/1' or 'Req.get!/1'. To skip the content-encoding decompression, also pass 'raw: true'. Both options will leave the response body as raw bytes, allowing for a size check before any decompression.