Netty: Memory Exhaustion in RedisArrayAggregator due to Deeply Nested Arrays

Vulnerability

The io.netty.handler.codec.redis.RedisArrayAggregator in Netty versions <= 4.1.134.Final and >= 4.2.0.Final, <= 4.2.14.Final does not limit the depth of nested arrays. When processing a Redis payload, it uses a Deque to track nested arrays and allocates a new AggregateState and ArrayList for each nested array header. This lack of a depth limit allows for excessive memory allocation [3], [4].

Exploitation

An attacker can exploit this vulnerability by sending a continuous stream of nested array headers in a Redis payload, such as *1\r\n*1\r\n*1\r\n.... Each header causes the RedisArrayAggregator to push a new state onto its internal stack and allocate memory for an ArrayList. By sending millions of such headers, an attacker can trigger a massive consumption of heap memory [3], [4].

Impact

Successful exploitation of this vulnerability results in a Denial of Service (DoS) due to memory exhaustion. Applications using Netty's RedisArrayAggregator to handle untrusted Redis traffic are susceptible to this condition, which can lead to an OutOfMemoryError and server instability [3], [4].

Mitigation

This vulnerability is fixed in Netty version 4.1.135.Final and 4.2.15.Final. Users are advised to upgrade to these patched versions or later. No workarounds are specified in the available references [1], [2], [3], [4].