Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ReactPHP's HTTP server continues parsing unused multipart parts after reaching limits
Vulnerability Description
react/http is an event-driven, streaming HTTP client and server implementation for ReactPHP. Previous versions of ReactPHP's HTTP server component contain a potential DoS vulnerability that can cause high CPU load when processing large HTTP request bodies. This vulnerability has little to no impact on the default configuration, but can be exploited when explicitly using the RequestBodyBufferMiddleware with very large settings. This might lead to consuming large amounts of CPU time for processing requests and significantly delay or slow down the processing of legitimate user requests. This issue has been addressed in release 1.9.0. Users are advised to upgrade. Users unable to upgrade may keep the request body limited using RequestBodyBufferMiddleware with a sensible value which should mitigate the issue. An infrastructure or DevOps workaround could be to place a reverse proxy in front of the ReactPHP HTTP server to filter out any excessive HTTP request bodies.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Vulnerability Title
ReactPHP HTTP 资源管理错误漏洞
Vulnerability Description
ReactPHP HTTP是ReactPHP开源的一个 ReactPHP 的事件驱动、流式 HTTP 客户端和服务器实现。 ReactPHP HTTP 0.8.0到1.9.0版本存在资源管理错误漏洞,该漏洞源于在处理大型 HTTP 请求主体时可能导致高 CPU 负载。
CVSS Information
N/A
Vulnerability Type
N/A