Ninenines Cowboy Unbounded Buffer Accumulation Vulnerability in Multipart Header Parsing Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in Ninenines Cowboy versions 2.0.0 prior to 2.15.0. This issue arises from unbounded buffer accumulation during the parsing of multipart headers. The vulnerability exists in the function 'cowboy_req:read_part/3', which collects incoming request data into a Buffer binary without any upper limit. When 'cow_multipart:parse_headers/2' indicates more data is available, the function reads up to 64 KB from the request body and continues processing with the expanded buffer. Unlike its counterpart 'read_part_body/4', this function lacks a safeguard to prevent excessive data accumulation. An unauthenticated attacker can exploit this by sending a multipart/form-data request that does not provide a complete header section, such as one that fails to include the specified boundary delimiter or does not properly terminate header lines. This can lead to the server process gradually consuming memory in proportion to the amount of data received, with just a few simultaneous uploads being enough to deplete BEAM memory.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by exhausting BEAM memory, which can lead to application crashes or unresponsiveness.

Reproduction

To reproduce this vulnerability, send a multipart/form-data request to a server running an affected version of Ninenines Cowboy that processes multipart uploads. Ensure the request body does not include a complete header section, such as by omitting the boundary delimiter or failing to properly format the header lines. The server will accumulate memory based on the amount of data received, eventually leading to a denial-of-service condition.

Remediation

Users can upgrade to Ninenines Cowboy version 2.15.0 or later, where this vulnerability has been fixed.