GHSA-g8vq-v3mg-7mrg

Suggest an improvement
Source
https://github.com/advisories/GHSA-g8vq-v3mg-7mrg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-g8vq-v3mg-7mrg/GHSA-g8vq-v3mg-7mrg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g8vq-v3mg-7mrg
Aliases
Published
2025-03-21T15:26:55Z
Modified
2025-03-21T15:26:55Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Redlib allows a Denial of Service via DEFLATE Decompression Bomb in restore_preferences Form
Details

A vulnerability has been identified in Redlib where an attacker can cause a denial-of-service (DOS) condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restore_preferences form. This leads to excessive memory consumption and potential system instability, which can be exploited to disrupt Redlib instances. This vulnerability was introduced in 2e95e1fc6e2064ccfae87964b4860bda55eddb9a and fixed in 15147cea8e42f6569a11603d661d71122f6a02dc.

Impact

What kind of vulnerability is it? Who is impacted?

This vulnerability allows a remote attacker with network access to exploit the preference restoration mechanism by providing a compressed payload that expands dramatically upon decompression. The issue arises because the system automatically decompresses user-supplied data without enforcing size limits, potentially leading to:

  • Out-of-memory (OOM) conditions
  • OS-level resource exhaustion, potentially leading to broader system instability or crashes
  • Repeated exploitation, keeping the target system in a persistent degraded state
  • Denial-of-service of any public instance

Patches

The problem has been patched in 15147cea8e42f6569a11603d661d71122f6a02dc. Users should upgrade to v0.36.0.

Workarounds

Until a patch is available, users can:

  • Implement request size limits at the web server or application level to reject excessively large inputs.
  • Disable or restrict the restore_preferences route (/settings/encoded-restore) at the reverse-proxy level if not required.
  • Monitor server logs for unusually large or repeated restore_preferences requests and block offending IPs.
Database specific
{
    "nvd_published_at": "2025-03-20T19:15:38Z",
    "cwe_ids": [
        "CWE-400",
        "CWE-502"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T15:26:55Z"
}
References

Affected packages

crates.io / redlib

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.36.0