The HttpPostRequestDecoder
can be tricked to accumulate data. I have spotted currently two attack vectors
bodyListHttpData
list.undecodedChunk
buffer until it can decode a field, this field can cumulate data without limitsHere is a Netty branch that provides a fix + tests : https://github.com/vietj/netty/tree/post-request-decoder
Here is a reproducer with Vert.x (which uses this decoder) https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
Any Netty based HTTP server that uses the HttpPostRequestDecoder
to decode a form.
{ "nvd_published_at": "2024-03-25T20:15:08Z", "cwe_ids": [ "CWE-770" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-03-25T19:40:50Z" }