CVE-2023-38434

Vulnerability

A double-free vulnerability exists in xHTTP commit 72f812d, specifically in the close_connection function at line 595 of xhttp.c. The bug is triggered when the server receives a malformed HTTP request method, such as an extremely long string of invalid characters (e.g., 'MALFORMEDMETHOD'*1000). The double free occurs on the conn->request.public.headers.list pointer, which is freed twice without being reset between calls. The vulnerability is reachable without special configuration; any client can send a crafted HTTP request to the server. [1]

Exploitation

An attacker can trigger the double free by sending a specially crafted HTTP request with a malformed method. The proof-of-concept Python script sends a request where the HTTP method is replaced by a long string of repeated invalid bytes, followed by a space and a path. The attacker needs network access to the xHTTP server (default port 8080). No authentication is required. The server must be compiled with debug symbols to observe the crash, but the vulnerability exists in a default build. The sequence of steps involves connecting to the server, sending the malformed request, and observing the crash or memory corruption. [1]

Impact

Successful exploitation causes a double-free error in the xHTTP server, leading to a crash (denial of service). The Address Sanitizer output confirms the double free on the heap, which could potentially be leveraged for arbitrary code execution depending on the heap state and memory allocator, though the primary demonstrated impact is a crash. [1]

Mitigation

As of the publication date (2023-07-18), no fixed version has been released. The only mitigation is to avoid using xHTTP in production, or to apply a patch that prevents the double free (e.g., by setting the freed pointer to NULL after the first free). The issue is tracked in the GitHub repository issue #1. [1]