Listen to this Post
How the mentioned CVE works:
The vulnerability resides in Bandit’s HTTP/2 frame deserializer (lib/bandit/http2/frame.ex).
The parser uses pattern matching with `payload::binary-size(length)` to extract the frame body.
This match succeeds only when the entire announced `length` bytes are already buffered.
The size limit check (length > max_frame_size) is placed after that pattern.
Thus the server validates the frame size only after receiving the full body.
An attacker can send a 9-byte frame header with `length = 0xFFFFFF` (~16 MiB).
The negotiated `SETTINGS_MAX_FRAME_SIZE` defaults to 16384 bytes (16 KiB).
Because the header alone does not match any body‑bearing clause, `deserialize/2` returns {:more, msg}.
The connection layer keeps reading and buffering until the announced length arrives.
The oversize error fires only when the full 16 MiB body has been buffered.
The frame type (e.g., SETTINGS) and stream ID are irrelevant – the parser never reaches dispatch.
An attacker can trickle body bytes in small chunks (e.g., 64 KiB) to stay under timeout thresholds.
A vulnerable server silently accepts up to 16 MiB per frame, 1024× the agreed limit.
Multiple concurrent connections multiply the memory waste.
Tens of GiB of buffer memory can be pinned before any GOAWAY is sent.
No authentication or specific route is needed – the bug lies in the framing layer before Plug runs.
The impact is pure resource exhaustion (memory pressure DoS).
A patched server sends GOAWAY with FRAME_SIZE_ERROR as soon as the header is seen.
The fix adds a header‑only clause that rejects `length > max_frame_size` immediately, before buffering body.
This CVE (no assigned number) affects all Bandit versions prior to the fix that include the vulnerable pattern.
dailycve form:
Platform: Bandit HTTP/2
Version: up to 1.10
Vulnerability: oversized frame late-check
Severity: Medium
date: May 6 2025
Prediction: May 15 2025
What Undercode Say:
Check if your Bandit server is vulnerable Run the PoC script (requires Elixir) mix deps.get elixir scripts/bandit/http2_frame_size_late_check.exs Monitor memory per connection (Linux) watch -n 1 'ss -tin | grep -A1 "bandit" | grep "rto" | wc -l' Simulate many abusive connections (using netcat with custom framing) Header: length=0xFFFFFF, type=0x4, flags=0, stream=0 printf '\xff\xff\xff\x04\x00\x00\x00\x00\x00' | nc -q 1 localhost 4321 Check for GOAWAY frame response tcpdump -i lo -n 'tcp port 4321 and (tcp[20:2] = 0x0007)'
how Exploit:
Send oversized HTTP/2 frame header (length = 16 MiB) on any h2 connection, then drip body bytes slowly. Repeat across thousands of parallel sockets until server memory exhaustion.
Protection from this CVE
Upgrade Bandit to version containing the header‑only size check. If unavailable, apply the one‑line fix in frame.ex: add `def deserialize(<
Impact:
Remote unauthenticated attacker can exhaust all available memory by opening a few thousand HTTP/2 connections and sending oversized frame headers with slow body drip. No code execution or data leak, but denial of service leading to process crash or unresponsiveness.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
