Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nanJqLTlyajQtcGd3eM0bsQ
DoS Vulnerability from Upstream Actix Web Issues
Impact
This vulnerability affects all users of the perseus deploy functionality who have not exported their sites to static files. If you are using the inbuilt Perseus server in production, there is a memory leak in Actix Web stemming from this upstream issue which can allow even a single user to cause the process to exhaust its memory on low-memory servers by continuously reloading the page. Note that this issue does not affect all Actix Web applications, but rather results from certain usage patterns which appear to be present in Perseus' server mechanics.
Patches
This vulnerability is addressed in all versions after Perseus v0.3.0-beta.21, which temporarily discontinues the use of perseus-actix-web (until the upstream bug is fixed) and switches to perseus-warp instead, which utilizes Warp.
Additionally, as of Perseus v0.3.0-beta.22, the Actix Web integration has been upgraded to use the latest unstable beta version of Actix Web, which appears to partially resolve this issue (the severity of the memory leak is reduced). However, due to the instability of this version, the default integration will remain Warp for now, and a warning will appear if you attempt to use the Actix Web integration.
If the instability of the latest beta version of Actix Web is not a concern for you, you can use this integration by adding -i actix-web to perseus serve and the like. This will print a warning about instability, and will then operate with the beta version. Please report any failures in functionality that are not security-related to the Perseus team by opening an issue on the repository.
Note however that switching to the Warp integration requires no code changes whatsoever unless you've ejected, so there are very few disadvantages to this change.
Workarounds
Due to significant infrastructural changes within other Perseus packages that were needed to support Warp, this integration is not backward-compatible with any previous version of Perseus, meaning there are no easily feasible workarounds. If you're only in development though, this vulnerability is irrelevant until you push to production.
CVE Status
Due to GitHub's requirements, a CVE can't be issued for this security advisory because the issue is technically one with Actix Web (though it's only in combination with certain mechanics in the Perseus server that this problem arises).
References
See this upstream issue in Actix Web.
For more information
If you have any questions or comments about this advisory:
- Open an issue on this repository
- Email me at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nanJqLTlyajQtcGd3eM0bsQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-gjrj-9rj4-pgwx
References:
- https://github.com/arctic-hen7/perseus/security/advisories/GHSA-gjrj-9rj4-pgwx
- https://github.com/actix/actix-web/issues/1780
- https://github.com/advisories/GHSA-gjrj-9rj4-pgwx
Blast Radius: 1.0
Affected Packages
cargo:perseus-actix-web
Dependent packages: 0Dependent repositories: 0
Downloads: 19,342 total
Affected Version Ranges: <= 0.3.0-beta.21
Fixed in: 0.3.0-beta.22
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0-beta.1, 0.3.0-beta.2, 0.3.0-beta.3, 0.3.0-beta.4, 0.3.0-beta.5, 0.3.0-beta.6, 0.3.0-beta.7, 0.3.0-beta.8, 0.3.0-beta.9, 0.3.0-beta.10, 0.3.0-beta.11, 0.3.0-beta.12, 0.3.0-beta.13, 0.3.0-beta.14, 0.3.0-beta.15, 0.3.0-beta.16, 0.3.0-beta.17, 0.3.0-beta.18, 0.3.0-beta.19, 0.3.0-beta.20, 0.3.0-beta.21
All unaffected versions: 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.4.0, 0.4.1, 0.4.2