DoS in lua-http library

Vulnerability

CVE-2023-4540 is an improper handling of exceptional conditions vulnerability in the Daurnimator lua-http library. The bug resides in the h1_stream module, specifically in the handling of content-length delimited streams when a connection is closed prematurely. By sending a specially crafted HTTP request that triggers an EOF event while the stream is in a certain state, the server enters an infinite loop, leading to excessive resource allocation and denial of service. Affected versions include all versions before commit ddab283 [1][2].

Exploitation

An attacker can exploit this vulnerability by sending a properly crafted HTTP request to a server using the vulnerable lua-http library. The attack requires network access to the target server and no authentication. The specific sequence involves the server expecting more data based on a content-length header, but the connection is closed before all data is sent, causing the library's read loop to never exit. The fix introduced in commit ddab283 adds a check for EOF when body_read_type is length, returning an error instead of looping indefinitely [2].

Impact

Successful exploitation results in a denial of service (DoS) condition. The server becomes unresponsive due to the infinite loop, consuming CPU resources indefinitely. This can lead to service disruption for legitimate users. The vulnerability does not allow data exfiltration or privilege escalation [1][2].

Mitigation

The vulnerability is fixed in commit ddab283, which should be applied by all users. The commit introduces proper handling of EOF conditions when reading a content-length delimited stream, preventing the infinite loop. There is no known workaround aside from upgrading to a patched version. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].