Potential Memory Exhaustion in Eclipse Vert.x WebSocket Implementation
CVE-2018-12541

6.5MEDIUM

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Vert.x
Vendor: CVE Published:; 10 October 2018

What is CVE-2018-12541?

The Eclipse Vert.x WebSocket implementation from version 3.0.0 to 3.5.3 is susceptible to a vulnerability where it holds the full HTTP request body in memory during the handshake process. This can lead to unexpected memory usage, potentially resulting in a denial of service if large payloads are sent without limitations. The system should enforce a reasonable limit of 8192 bytes to prevent such scenarios, beyond which the WebSocket connection will be closed with a 413 status code, mitigating high memory utilization risks.

Affected Version(s)

Eclipse Vert.x 3.0

Eclipse Vert.x <= 3.5.3

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=539170

x_refsource_CONFIRM

https://github.com/eclipse-vertx/vert.x/issues/2648

x_refsource_CONFIRM

https://access.redhat.com/errata/RHSA-2018:2946

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 10, 2018
Vulnerability Reserved
Jun 18, 2018

The Eclipse Foundation

What is CVE-2018-12541?

Affected Version(s)

References

CVSS V3.1

Timeline