Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Issue: ReDOS-Attack Vector in Dicer dependency #265

Closed
Uzlopak opened this issue Dec 6, 2021 · 1 comment
Closed

Security Issue: ReDOS-Attack Vector in Dicer dependency #265

Uzlopak opened this issue Dec 6, 2021 · 1 comment

Comments

@Uzlopak
Copy link

Uzlopak commented Dec 6, 2021

tl;dr;
An attacker could send a payload with large headers, which contain no colon, repeatedly, resulting in a REDoS-Attack.

The Regex for handling headerpairs is prone to catastrophic backtracking.

This is even more critical, as busboys default limit for multipart headers is 80kby and that if a header is not valid, the counter for headers is not increasing. Meaning, that the attacker could send a big payload of multipart formdata, were each multipart contains 80kby of invalid headerdata resulting in a DoS-Attack.

We are gonna fix this in our fork:
fastify/busboy#72
@mscdex
Copy link
Owner

mscdex commented Dec 11, 2021

The proper avenue for such reports for any of my repositories is an email to: security at mscdex.net.

@mscdex mscdex closed this as completed Dec 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mscdex @Uzlopak