Summary
In the fix of our previous reported issue, the number of objects that can be queried in one query was limited to 100. However, we have discovered that the fix is incomplete. Attackers can still increase the memory usage by performing multiple queries at the same time, resulting in OOM.
Since the advisory page for GHSA-q7jw-699g-rrxf
has already been published, we can no longer take further actions through the private channel. As a result, we’ve decided to open a new security report for further discussion. We recommend keeping the information private to avoid attracting any unwanted attention from malicious actors.
Details
Reproduced on
- main branch (58f937c)
Affected Module:
crates/rooch-rpc-server/src/server/rooch_server.rs
The number of objects that can be queried in one query is limited to 100, but the size of each object that can be returned is not limited, so attac
Summary
In the fix of our previous reported issue, the number of objects that can be queried in one query was limited to 100. However, we have discovered that the fix is incomplete. Attackers can still increase the memory usage by performing multiple queries at the same time, resulting in OOM.
Since the advisory page for
GHSA-q7jw-699g-rrxf
has already been published, we can no longer take further actions through the private channel. As a result, we’ve decided to open a new security report for further discussion. We recommend keeping the information private to avoid attracting any unwanted attention from malicious actors.Details
Reproduced on
Affected Module:
crates/rooch-rpc-server/src/server/rooch_server.rs
The number of objects that can be queried in one query is limited to 100, but the size of each object that can be returned is not limited, so attac