Skip to content

Memory exhaustion in http4s-async-http-client with large or malicious compressed responses

Low severity GitHub Reviewed Published Oct 16, 2020 in http4s/http4s • Updated Jan 9, 2023

Package

maven org.http4s:http4s-async-http-client_2.12 (Maven)

Affected versions

<= 0.21.7

Patched versions

0.21.8
maven org.http4s:http4s-async-http-client_2.13 (Maven)
<= 0.21.7
0.21.8

Description

Impact

A server we connect to with http4s-async-http-client could theoretically respond with a large or malicious compressed stream and exhaust memory in the client JVM. It does not affect http4s servers, other client backends, or clients that speak only to trusted servers. This is related to a transitive dependency on netty-codec-4.1.45.Final, which is affected by CVE-2020-11612.

Patches

Upgrade to http4s-async-http-client >= 0.21.8. All 1.0 milestones are also safe.

Workarounds

Add an explicit runtime dependency on async-http-client's netty dependencies that evicts them to an unaffected version:

libraryDependencies ++= Seq(
  "io.netty" %  "netty-codec"         % "4.1.53.Final" % Runtime,
  "io.netty" %  "netty-codec-socks"   % "4.1.53.Final" % Runtime,
  "io.netty" %  "netty-handler-proxy" % "4.1.53.Final" % Runtime,
  "io.netty" %  "netty-common"        % "4.1.53.Final" % Runtime,
  "io.netty" %  "netty-transport"     % "4.1.53.Final" % Runtime,
  "io.netty" %  "netty-handler"       % "4.1.53.Final" % Runtime,
  "io.netty" %  "netty-resolver-dns"  % "4.1.53.Final" % Runtime
)

References

For more information

If you have any questions or comments about this advisory:

References

@rossabaker rossabaker published to http4s/http4s Oct 16, 2020
Reviewed Oct 16, 2020
Published to the GitHub Advisory Database Oct 16, 2020
Last updated Jan 9, 2023

Severity

Low

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-8hxh-r6f7-jf45

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.