DoS Vulnerability was discovered in io.vavr:vavr:0.10.4

[Alex111998]

Summary

A denial of service vulnerability in vavr was discovered by CIFuzz. A bug in method CharSeq.repeat(char, int) means that an input of modest size can lead to indefinite amounts of memory being used. Can recurrent it like follows code.

POC

pom

<dependency>
        <groupId>io.vavr</groupId>
        <artifactId>vavr</artifactId>
        <version>0.10.4</version>
</dependency>

code

public static void main(String[] args) {
        CharSeq.repeat('a', 762526009);
}

Attack

[chaotic3quilibrium]

I don't understand how this is a DoS vulnerability?

What is the suggested remediation? Perhaps that would better explain how it is a DoS.

[pivovarit]

I can imagine how this can be recognized as Dos Vulnerability: if you are certain that some application is using it, you could force some extra memory consumption leading to its collapse.

But there's not much we can do about it: if you want to create a String instance legally, it involves some array copying. That's how String and StringBuilder works. There are easier and more efficient ways to induce OOMEs.

Also, this method is often used in demos and tests and not in production code, which makes it effectively harmless