A vulnerability has been identified in Redlib where an attacker can cause a denial-of-service (DOS) condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restore_preferences form. This leads to excessive memory consumption and potential system instability, which can be exploited to disrupt Redlib instances. This vulnerability was introduced in 2e95e1fc6e2064ccfae87964b4860bda55eddb9a and fixed in 15147cea8e42f6569a11603d661d71122f6a02dc.
What kind of vulnerability is it? Who is impacted?
This vulnerability allows a remote attacker with network access to exploit the preference restoration mechanism by providing a compressed payload that expands dramatically upon decompression. The issue arises because the system automatically decompresses user-supplied data without enforcing size limits, potentially leading to:
The problem has been patched in 15147cea8e42f6569a11603d661d71122f6a02dc. Users should upgrade to v0.36.0.
Until a patch is available, users can:
/settings/encoded-restore
) at the reverse-proxy level if not required.{ "nvd_published_at": "2025-03-20T19:15:38Z", "cwe_ids": [ "CWE-400", "CWE-502" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-03-21T15:26:55Z" }