GHSA-3244-j874-rhc2
Netty: Memory Exhaustion in RedisArrayAggregator due to Deeply Nested Arrays
Details
### Summary An attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive number of state objects and collections, leading to memory exhaustion and an OutOfMemoryError.
### Details io.netty.handler.codec.redis.RedisArrayAggregator aggregates RedisMessage parts into ArrayRedisMessage. It uses a `Deque<AggregateState>` to keep track of nested arrays. However, it does not limit the maximum depth of nested arrays. When an attacker sends a continuous stream of nested array headers (e.g., `*1\r\n*1\r\n*1\r\n...`), RedisArrayAggregator pushes a `new AggregateState` onto the stack and allocates a `new ArrayList` for each header. Because there is no depth limit, an attacker can send millions of such headers. This consumes a massive amount of heap memory for the AggregateState instances and their backing ArrayLists, eventually resulting in an OutOfMemoryError.
### Impact Denial of Service due to memory exhaustion. Any application using Netty's RedisArrayAggregator to handle untrusted Redis traffic is vulnerable.
Are you affected?
Enter the version of the package you're using.
Affected packages
4.2.0.Final Fixed in: 4.2.15.Final # pom.xml: bump <version>4.2.15.Final</version> for io.netty:netty-codec-redis 0 Fixed in: 4.1.135.Final # pom.xml: bump <version>4.1.135.Final</version> for io.netty:netty-codec-redis