keycloak-fips
24.0.3-r0
5.3
CVSS V3
Netty's HttpPostRequestDecoder can OOM
The HttpPostRequestDecoder
can be tricked to accumulate data. I have spotted currently two attack vectors
bodyListHttpData
list.undecodedChunk
buffer until it can decode a field, this field can cumulate data without limitsHere is a Netty branch that provides a fix + tests : https://github.com/vietj/netty/tree/post-request-decoder
Here is a reproducer with Vert.x (which uses this decoder) https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
Any Netty based HTTP server that uses the HttpPostRequestDecoder
to decode a form.