Plug Project Plug Unbounded Buffer Vulnerability in Multipart Header Parsing Allows Denial-of-Service

A denial-of-service vulnerability has been identified in the Plug library, specifically in versions 1.4.0 prior to 1.15.4, as well as 1.16.3, 1.17.1, 1.18.2, and 1.19.2. The issue arises from unbounded buffer accumulation during the parsing of multipart headers. The vulnerability exists in the 'Elixir.Plug.Conn':read_part_headers/2 function, which fails to enforce a limit on the size of the accumulated data. This lack of restriction allows an unauthenticated remote attacker to send multipart/form-data requests that exploit the vulnerability, leading to excessive memory usage and potential exhaustion of server resources.

Impact

Exploitation of this vulnerability can cause a significant increase in memory consumption, leading to exhaustion of the BEAM virtual machine's memory, which can cause the application to crash or become unresponsive.

Reproduction

The vulnerability can be reproduced by sending a multipart/form-data request that is crafted to avoid completing the header section. This can be done by omitting the boundary delimiter or by not including the required carriage return and line feed sequences that indicate the end of a header line. The 'Elixir.Plug.Conn.read_part_headers/2' function can be called directly, or the ':multipart' parser can be used with 'Plug.Parsers', which will invoke the function as part of the normal request processing.

Remediation

Users can upgrade to Plug versions 1.15.4, 1.16.3, 1.17.1, 1.18.2, or 1.19.2, all of which contain the necessary fix.