hpax is vulnerable to Inefficient Algorithmic Complexity
87
High Risk
hpax decodes HPACK variable-length integers with no upper bound on the decoded value or the number of continuation octets. HPAX.Types.decode_remaining_integer/3 in lib/hpax/types.ex accumulates the integer as int + (value <<< m), shifting by 7 more bits for each continuation octet and stopping only on a terminating octet or truncated input, never because the integer grew too large. Because BEAM integers are arbitrary precision, a run of N continuation octets builds an O(N)-bit bignum and re-adds into an ever-larger bignum on each step, so the total decoding cost is superlinear (about O(N^2)). An unauthenticated attacker who can send an HTTP/2 header block to a server using this decoder (reached through HPAX.decode/2) can supply a small header block that forces a large, attacker-controlled amount of CPU (and transient memory), a denial-of-service amplification.
You are affected if you are using a version that falls within the vulnerable range.
hpax is vulnerable to Inefficient Algorithmic Complexity in versions 0.1.1 - 1.0.3.
Upgrade the hpax library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant