Skip to content

DoS Vulnerability from Upstream Actix Web Issues

High severity GitHub Reviewed Published Dec 15, 2021 in framesurge/perseus • Updated Jan 9, 2023

Package

cargo perseus-actix-web (Rust)

Affected versions

<= 0.3.0-beta.21

Patched versions

0.3.0-beta.22

Description

Impact

This vulnerability affects all users of the perseus deploy functionality who have not exported their sites to static files. If you are using the inbuilt Perseus server in production, there is a memory leak in Actix Web stemming from this upstream issue which can allow even a single user to cause the process to exhaust its memory on low-memory servers by continuously reloading the page. Note that this issue does not affect all Actix Web applications, but rather results from certain usage patterns which appear to be present in Perseus' server mechanics.

Patches

This vulnerability is addressed in all versions after Perseus v0.3.0-beta.21, which temporarily discontinues the use of perseus-actix-web (until the upstream bug is fixed) and switches to perseus-warp instead, which utilizes Warp.

Additionally, as of Perseus v0.3.0-beta.22, the Actix Web integration has been upgraded to use the latest unstable beta version of Actix Web, which appears to partially resolve this issue (the severity of the memory leak is reduced). However, due to the instability of this version, the default integration will remain Warp for now, and a warning will appear if you attempt to use the Actix Web integration.

Using the Actix Web integration

If the instability of the latest beta version of Actix Web is not a concern for you, you can use this integration by adding -i actix-web to perseus serve and the like. This will print a warning about instability, and will then operate with the beta version. Please report any failures in functionality that are not security-related to the Perseus team by opening an issue on the repository.

Note however that switching to the Warp integration requires no code changes whatsoever unless you've ejected, so there are very few disadvantages to this change.

Workarounds

Due to significant infrastructural changes within other Perseus packages that were needed to support Warp, this integration is not backward-compatible with any previous version of Perseus, meaning there are no easily feasible workarounds. If you're only in development though, this vulnerability is irrelevant until you push to production.

CVE Status

Due to GitHub's requirements, a CVE can't be issued for this security advisory because the issue is technically one with Actix Web (though it's only in combination with certain mechanics in the Perseus server that this problem arises).

References

See this upstream issue in Actix Web.

For more information

If you have any questions or comments about this advisory:

References

@arctic-hen7 arctic-hen7 published to framesurge/perseus Dec 15, 2021
Reviewed Dec 15, 2021
Published to the GitHub Advisory Database Dec 15, 2021
Last updated Jan 9, 2023

Severity

High

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-gjrj-9rj4-pgwx

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.