Listen to this Post
The vulnerability exists within the `FileResponse._parse_range_header()` method. This function is responsible for parsing the `Range` HTTP header to serve specific parts of a file. The function uses a regular expression, _RANGE_PATTERN = re.compile(r"(\d)-(\d)"), to find all range specifiers in the header string. An attacker can craft a malicious `Range` header value, such as bytes=00000...0000a-, which contains a long string of digits followed by a non-digit character. This input causes the NFA-based regex engine to enter a catastrophic backtracking scenario due to the nested quantifiers and ambiguous patterns. The time complexity for processing this malicious string becomes O(n^2), where n is the number of characters. This quadratic time complexity leads to excessive CPU consumption for a single request, stalling the server and creating a Denial-of-Service condition without requiring authentication.
Platform: Starlette
Version: <0.44.0
Vulnerability: ReDoS
Severity: Critical
date: 2024-05-15
Prediction: 2024-05-29
What Undercode Say:
python3 poc_dos_range.py
def build_payload(length: int) -> str:
return ("0" length) + "a-"
header = "bytes=" + build_payload(40000)
How Exploit:
Send HTTP request with malicious Range header.
Crafted header triggers regex backtracking.
CPU exhausts, causing denial-of-service.
Protection from this CVE
Upgrade Starlette version.
Implement request filtering.
Use a WAF.
Impact:
CPU Exhaustion
Service Downtime
Unauthenticated Exploitation
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
