Bandit WebSocket permessage-deflate unbounded inflate leads to DoS

Bandit, a web server for the Erlang ecosystem, is vulnerable to a denial-of-service (DoS) attack. The vulnerability exists in versions 0.5.8 before 1.11.0 when the permessage-deflate WebSocket extension is enabled. An unauthenticated client can send a small, specially crafted compressed WebSocket frame that, when decompressed, expands to a significantly larger size, exhausting the server’s memory. This occurs because the inflate step within Bandit lacks an output-size cap. This vulnerability affects applications that have explicitly enabled compress: true when upgrading a connection to a WebSocket, as stock Phoenix and LiveView apps default to compress: false. The attack occurs before any application-level code execution, making it difficult to mitigate without patching the Bandit library itself.

Attack Chain

1. An unauthenticated client establishes a TCP connection to the Bandit server.
2. The client sends a WebSocket handshake request with Sec-WebSocket-Extensions: permessage-deflate.
3. The Bandit server negotiates the permessage-deflate extension if both websocket_options.compress and connection_opts.compress are true.
4. The client sends a WebSocket text frame with the RSV1 bit set to 1, indicating compressed data. The compressed frame is crafted to have a high compression ratio (e.g., 1024:1).
5. The Bandit server receives the compressed frame and begins decompression using :zlib.inflate/2 in lib/bandit/websocket/permessage_deflate.ex.
6. The inflation process lacks any output-size limit, allowing the decompressed data to grow unbounded in memory.
7. IO.iodata_to_binary/1 materializes the entire decompressed payload into a single binary in the connection process’s heap.
8. The server exhausts its available memory, leading to a denial-of-service condition as the BEAM process is OOM-killed or becomes unresponsive.

Impact

Successful exploitation results in a denial-of-service condition, potentially crashing the BEAM and rendering the Bandit-fronted application unavailable. A single, small compressed frame (~6MiB in the provided PoC) is sufficient to trigger the vulnerability, and concurrent connections will amplify the impact linearly. Applications that have enabled permessage-deflate for bandwidth savings are particularly at risk, as they may not be aware of the inherent unbounded-inflate DoS. This can affect any service using Bandit webserver which explicitly enables the compress option, leading to potential service outages.

Recommendation

• Disable the compress: true option when calling WebSockAdapter.upgrade/4 as a temporary workaround to mitigate the vulnerability.
• Monitor process memory usage on systems running Bandit web servers, looking for sudden and significant increases, particularly after WebSocket connections are established. Consider creating a Sigma rule for this behavior based on process memory metrics.
• Upgrade to Bandit version 1.11.0 or later once available to address the vulnerability with the fix suggested: “thread a maximum-output-size through to inflate and either error out or return resumable chunks once exceeded, mirroring how the HTTP content-length path bounds reads via :length.”.
• Deploy the Sigma rule detecting WebSocket handshake with permessage-deflate to identify potentially vulnerable configurations.