6.3 MEDIUM
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Attack Requirement (AT): Present (P)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Vulnerable System Impact Confidentiality (VC): None (N)
- Vulnerable System Impact Integrity (VI): None (N)
- Vulnerable System Impact Availability (VA): Low (L)
- Subsequent System Impact Confidentiality (SC): None (N)
- Subsequent System Impact Integrity (SI): None (N)
- Subsequent System Impact Availability (SA): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Attack Requirement (MAT): Present (P)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Vulnerable System Impact Confidentiality (MVC): None (N)
- Modified Vulnerable System Impact Integrity (MVI): None (N)
- Modified Vulnerable System Impact Availability (MVA): Low (L)
- Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
- Modified Subsequent System Impact Integrity (MSI): Negligible (N)
- Modified Subsequent System Impact Availability (MSA): Negligible (N)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
- Exploit Maturity (E): Not Defined (X)
Activity log
- Created suggestion
Zero-length HTTP/2 CONTINUATION frames bypass Mint's header-block byte-size cap and exhaust client memory
Allocation of resources without limits vulnerability in elixir-mint mint allows a remote HTTP/2 server to exhaust memory on the client host and cause a denial of service. The Mint.HTTP2.handle_continuation/3 function in lib/mint/http2.ex accumulates the header-block fragment carried by each HTTP/2 CONTINUATION frame into a growing conn.headers_being_processed nesting, one level deeper per frame, and only releases it when a frame with the END_HEADERS flag arrives. The only guard on this accumulator is Mint.HTTP2.assert_header_block_within_max_size/2, which sums the byte size of the fragments received so far. Because a CONTINUATION frame is permitted by the protocol to carry a zero-length payload, an unbounded chain of zero-length CONTINUATION frames adds no bytes to the running total, never trips the size cap, and never emits END_HEADERS, yet each frame still nests the accumulator one level deeper. A malicious HTTP/2 server (reachable directly, via an attacker-controlled redirect, via SSRF, or via a man-in-the-middle) can open a stream by sending a HEADERS frame without END_HEADERS and then stream zero-length CONTINUATION frames indefinitely. Client memory grows one cons cell per frame received; sustained bandwidth from the peer drives the BEAM node running the Mint client to memory exhaustion and eventual out-of-memory termination. This issue affects mint: from 0.1.0 before 1.9.2.
References
-
https://github.com/elixir-mint/mint/security/advisories/GHSA-8pf6-g464-h6h9 relatedvendor-advisoryexploit
Affected products
- <1.9.2
- <5779de1666344b32aefc4354184ea07f902f73ce
Matching in nixpkgs
pkgs.mint
Refreshing language for the front-end web
pkgs.mintotp
Minimal TOTP generator
pkgs.fedimint
Federated E-Cash Mint
pkgs.tendermint
Byzantine-Fault Tolerant State Machines. Or Blockchain, for short
pkgs.garmintools
Provides the ability to communicate with the Garmin Forerunner 305 via the USB interface
pkgs.latexminted
Python executable for LaTeX minted package
pkgs.mint-themes
Mint-X and Mint-Y themes for the cinnamon desktop
pkgs.mint-artwork
Artwork for the cinnamon desktop
pkgs.mint-l-theme
Mint-L theme for the Cinnamon desktop
pkgs.marwaita-mint
Variation for marwaita GTK theme based on linux mint color scheme
pkgs.mint-cursor-themes
Linux Mint cursor themes
pkgs.haskellPackages.mintty
A reliable way to detect the presence of a MinTTY console on Windows
pkgs.octavePackages.optiminterp
Optimal interpolation toolbox for octave
-
nixos-unstable 11.3.0-optiminterp-0.3.7
- nixpkgs-unstable 11.3.0-optiminterp-0.3.7
- nixos-unstable-small 11.3.0-optiminterp-0.3.7
-
nixos-26.05 11.1.0-optiminterp-0.3.7
- nixos-26.05-small 11.1.0-optiminterp-0.3.7
- nixpkgs-26.05-darwin 11.1.0-optiminterp-0.3.7
Package maintainers
-
@dpc Dawid Ciężarkiewicz <dpc@dpc.pw>
-
@romildo José Romildo Malaquias <malaquias@gmail.com>
-
@bobby285271 Bobby Rong <rjl931189261@126.com>
-
@mkg20001 Maciej Krüger <mkg20001+nix@gmail.com>
-
@provokateurin Kate Döen
-
@ravenjoad Raven Hallsby <raven@hallsby.com>
-
@alexfmpe Alexandre Esteves <alexfmpe@proton.me>