CVE-2023-34188: 
NixOS vulnerability analysis and mitigation

The HTTP server in Mongoose before version 7.10 contains a critical vulnerability (CVE-2023-34188) that accepts requests containing negative Content-Length headers. The vulnerability was discovered and disclosed by Narf Industries as part of their investigation of HTTP parsers for the DARPA SafeDocs program. The issue was identified in April 2023 and was patched in Mongoose 7.10 released on May 18, 2023 (Narf Blog).

The vulnerability exists in Mongoose's HTTP shotgun parser which improperly validates HTTP Content-Length headers. The parser accepts Content-Length values with a '-' prefix and treats them as negative numbers due to using the mg_to64 function to convert strings to 64-bit signed integers. When parsing a request, Mongoose determines where the request ends by reading headers until it encounters the end-of-headers delimiter, then adds the Content-Length value to the offset. With a negative Content-Length, the parser skips backward instead of forward, potentially causing an infinite loop (Narf Blog). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

By sending a single attack payload over TCP with a specifically crafted negative Content-Length header value, an attacker can cause the server to enter an infinite loop where it continuously reparses the same payload. Once in this state, the server becomes unresponsive to any other requests, effectively creating a denial of service condition (NVD).

The vulnerability was fixed in Mongoose version 7.10 by adding a new function to work specifically with the sizet datatype and removing support for the mgto64 function. The fix includes a check for negative values in the Content-Length header (GitHub Patch). Users should upgrade to Mongoose version 7.10 or later to address this vulnerability.