Summary
Mint's HTTP/2 client accumulates CONTINUATION header-block fragments into a per-connection buffer with no cap on size or frame count. A malicious or compromised HTTP/2 server can drive the client's memory to arbitrary size by streaming an endless chain of CONTINUATION frames after a HEADERS frame that omits END_HEADERS, causing memory exhaustion and BEAM process death. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient.
Details
When Mint's HTTP/2 receive path observes a HEADERS frame without the END_HEADERS flag, 'Elixir.Mint.HTTP2':handle_headers/3 parks the unparsed header-block fragment in conn.headers_being_processed. Every subsequent CONTINUATION frame on that stream is then appended to the accumulator by 'Elixir.Mint.HTTP2':handle_continuation/3.
Nothing in the receive path bounds this accumulator: there is no per-stream size cap, no CONTINUATION frame-count cap, and max_header_list_size is only enforced on outgoing requests (its default is :infinity, and the only enforcement helper inspects server_settings for request encoding, never inbound header blocks). Each CONTINUATION payload can be up to the peer-advertised SETTINGS_MAX_FRAME_SIZE, so the attacker can grow headers_being_processed to arbitrary size at line rate.
PoC
- Stand up a raw TCP server that speaks the HTTP/2 handshake.
- After the client's request
HEADERS arrives, respond with a HEADERS frame on stream 1 with flags = 0 (no END_HEADERS, no END_STREAM) and an empty header-block fragment.
- Stream
CONTINUATION frames on stream 1, each with flags = 0 and a payload up to SETTINGS_MAX_FRAME_SIZE. Never set END_HEADERS.
- The client's process memory grows linearly with the flood and the BEAM process eventually crashes with OOM.
Impact
Remote, unauthenticated denial-of-service against any process using Mint as an HTTP/2 client against an untrusted or attacker-influenced server. A single connection is sufficient to drive memory to arbitrary size and crash the BEAM process. The default Mint configuration is vulnerable; no client-side opt-in is required. Scored CVSS v4.0 8.2 (HIGH).
Workarounds
Restrict Mint to HTTP/1 on connections to untrusted servers by passing protocols: [:http1] to 'Elixir.Mint.HTTP':connect/4. This avoids the vulnerable HTTP/2 receive path entirely, at the cost of losing HTTP/2 for those connections.
Resources
References
Summary
Mint's HTTP/2 client accumulates
CONTINUATIONheader-block fragments into a per-connection buffer with no cap on size or frame count. A malicious or compromised HTTP/2 server can drive the client's memory to arbitrary size by streaming an endless chain ofCONTINUATIONframes after aHEADERSframe that omitsEND_HEADERS, causing memory exhaustion and BEAM process death. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient.Details
When Mint's HTTP/2 receive path observes a
HEADERSframe without theEND_HEADERSflag,'Elixir.Mint.HTTP2':handle_headers/3parks the unparsed header-block fragment inconn.headers_being_processed. Every subsequentCONTINUATIONframe on that stream is then appended to the accumulator by'Elixir.Mint.HTTP2':handle_continuation/3.Nothing in the receive path bounds this accumulator: there is no per-stream size cap, no
CONTINUATIONframe-count cap, andmax_header_list_sizeis only enforced on outgoing requests (its default is:infinity, and the only enforcement helper inspectsserver_settingsfor request encoding, never inbound header blocks). EachCONTINUATIONpayload can be up to the peer-advertisedSETTINGS_MAX_FRAME_SIZE, so the attacker can growheaders_being_processedto arbitrary size at line rate.PoC
HEADERSarrives, respond with aHEADERSframe on stream 1 withflags = 0(noEND_HEADERS, noEND_STREAM) and an empty header-block fragment.CONTINUATIONframes on stream 1, each withflags = 0and a payload up toSETTINGS_MAX_FRAME_SIZE. Never setEND_HEADERS.Impact
Remote, unauthenticated denial-of-service against any process using Mint as an HTTP/2 client against an untrusted or attacker-influenced server. A single connection is sufficient to drive memory to arbitrary size and crash the BEAM process. The default Mint configuration is vulnerable; no client-side opt-in is required. Scored CVSS v4.0 8.2 (HIGH).
Workarounds
Restrict Mint to HTTP/1 on connections to untrusted servers by passing
protocols: [:http1]to'Elixir.Mint.HTTP':connect/4. This avoids the vulnerable HTTP/2 receive path entirely, at the cost of losing HTTP/2 for those connections.Resources
References