GHSA-G8VQ-V3MG-7MRG
Vulnerability from github – Published: 2025-03-21 15:26 – Updated: 2025-03-21 15:26
VLAI?
Summary
Redlib allows a Denial of Service via DEFLATE Decompression Bomb in restore_preferences Form
Details
A vulnerability has been identified in Redlib where an attacker can cause a denial-of-service (DOS) condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restore_preferences form. This leads to excessive memory consumption and potential system instability, which can be exploited to disrupt Redlib instances. This vulnerability was introduced in 2e95e1fc6e2064ccfae87964b4860bda55eddb9a and fixed in 15147cea8e42f6569a11603d661d71122f6a02dc.
Impact
What kind of vulnerability is it? Who is impacted?
This vulnerability allows a remote attacker with network access to exploit the preference restoration mechanism by providing a compressed payload that expands dramatically upon decompression. The issue arises because the system automatically decompresses user-supplied data without enforcing size limits, potentially leading to:
- Out-of-memory (OOM) conditions
- OS-level resource exhaustion, potentially leading to broader system instability or crashes
- Repeated exploitation, keeping the target system in a persistent degraded state
- Denial-of-service of any public instance
Patches
The problem has been patched in 15147cea8e42f6569a11603d661d71122f6a02dc. Users should upgrade to v0.36.0.
Workarounds
Until a patch is available, users can:
- Implement request size limits at the web server or application level to reject excessively large inputs.
- Disable or restrict the restore_preferences route (
/settings/encoded-restore) at the reverse-proxy level if not required. - Monitor server logs for unusually large or repeated restore_preferences requests and block offending IPs.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "redlib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.36.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-30160"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-21T15:26:55Z",
"nvd_published_at": "2025-03-20T19:15:38Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in Redlib where an attacker can cause a denial-of-service (DOS) condition by submitting a specially crafted base2048-encoded DEFLATE decompression bomb to the restore_preferences form. This leads to excessive memory consumption and potential system instability, which can be exploited to disrupt Redlib instances. This vulnerability was introduced in 2e95e1fc6e2064ccfae87964b4860bda55eddb9a and fixed in 15147cea8e42f6569a11603d661d71122f6a02dc.\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nThis vulnerability allows a remote attacker with network access to exploit the preference restoration mechanism by providing a compressed payload that expands dramatically upon decompression. The issue arises because the system automatically decompresses user-supplied data without enforcing size limits, potentially leading to:\n\n- Out-of-memory (OOM) conditions\n- OS-level resource exhaustion, potentially leading to broader system instability or crashes\n- Repeated exploitation, keeping the target system in a persistent degraded state\n- Denial-of-service of any public instance\n\n### Patches\nThe problem has been patched in 15147cea8e42f6569a11603d661d71122f6a02dc. Users should upgrade to v0.36.0.\n\n### Workarounds\nUntil a patch is available, users can:\n\n- Implement request size limits at the web server or application level to reject excessively large inputs.\n- Disable or restrict the restore_preferences route (`/settings/encoded-restore`) at the reverse-proxy level if not required.\n- Monitor server logs for unusually large or repeated restore_preferences requests and block offending IPs.",
"id": "GHSA-g8vq-v3mg-7mrg",
"modified": "2025-03-21T15:26:55Z",
"published": "2025-03-21T15:26:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/crewjam/saml/security/advisories/GHSA-5mqj-xc49-246p"
},
{
"type": "WEB",
"url": "https://github.com/redlib-org/redlib/security/advisories/GHSA-g8vq-v3mg-7mrg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30160"
},
{
"type": "WEB",
"url": "https://github.com/redlib-org/redlib/commit/15147cea8e42f6569a11603d661d71122f6a02dc"
},
{
"type": "WEB",
"url": "https://github.com/redlib-org/redlib/commit/2e95e1fc6e2064ccfae87964b4860bda55eddb9a"
},
{
"type": "PACKAGE",
"url": "https://github.com/redlib-org/redlib"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Redlib allows a Denial of Service via DEFLATE Decompression Bomb in restore_preferences Form"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…