5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-29025

CVE-2024-29025: Netty's HttpPostRequestDecoder can OOM

Summary

The HttpPostRequestDecoder can be tricked to accumulate data. I have spotted currently two attack vectors

Details

While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.
The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, this field can cumulate data without limits

PoC

Here is a Netty branch that provides a fix + tests : https://github.com/vietj/netty/tree/post-request-decoder

Here is a reproducer with Vert.x (which uses this decoder) https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3

Impact

Any Netty based HTTP server that uses the HttpPostRequestDecoder to decode a form.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-29025

CVE-2024-29025:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.netty:netty-codec-http	maven	< 4.1.108.Final	4.1.108.Final

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability CVE-2024-29025 in Netty's HttpPostRequestDecoder allows for OutOfMemoryErrors (OOM) due to two primary issues: unbounded accumulation of bytes in an internal buffer (undecodedChunk) during field decoding, and no limit on the total number of form fields, leading to potential unbounded growth of the bodyListHttpData list.

The provided patch (commit 0d0c6ed782d13d423586ad0c71737b2c7d02058c) addresses these vulnerabilities by introducing two new configurable limits: maxBufferedBytes for the size of the undecodedChunk and maxFields for the maximum number of attributes a form can have. These limits are now enforced within the decoding logic.

The vulnerable functions are identified by observing where these crucial limit checks were absent in the pre-patch code and were subsequently added by the patch:

The offer methods in both HttpPostMultipartRequestDecoder and HttpPostStandardRequestDecoder were vulnerable because they processed incoming data and populated the undecodedChunk without checking its size against maxBufferedBytes.
The addHttpData methods in both HttpPostMultipartRequestDecoder and HttpPostStandardRequestDecoder were vulnerable because they added parsed data to the bodyListHttpData list without checking the total number of fields against maxFields.
Several constructors of HttpPostMultipartRequestDecoder, HttpPostStandardRequestDecoder, and the main facade class HttpPostRequestDecoder are also identified as contributing to the vulnerability. Specifically, constructors that did not accept or internally apply these limits would create decoder instances that were inherently unsafe and susceptible to the OOM conditions when their offer or addHttpData methods were invoked. The patch modifies these existing constructors to either accept the new limit parameters directly or to delegate to new overloaded constructors that do, applying default values for these limits to ensure safety.

The evidence for each function's vulnerability is derived directly from the patch: the addition of specific boundary checks (e.g., if (maxBufferedBytes > 0 && ...) or if (maxFields > 0 && ...)) or the modification of constructor logic to incorporate these limits clearly indicates that the absence of these measures in the prior versions constituted the security flaw.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-29025: Netty's HttpPostRequestDecoder can OOM

Summary

Details

PoC

Impact

CVE-2024-29025:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

5.3

5.3

Basic Information

Basic Information

CVE-2024-29025: Netty's HttpPostRequestDecoder can OOM

Summary

Details

PoC

Impact

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI