CVE-2023-4540: 
Linux Debian vulnerability analysis and mitigation

The vulnerability CVE-2023-4540 affects the Daurnimator lua-http library, discovered and disclosed on September 5, 2023. This vulnerability is present in all versions of lua-http including version 0.4 before the ddab283 commit. The issue involves improper handling of exceptional conditions that can lead to excessive allocation and a denial of service (DoS) condition (NVD, CERT Advisory).

The vulnerability is classified as an Improper Handling of Exceptional Conditions (CWE-755) and Loop with Unreachable Exit Condition ('Infinite Loop') (CWE-835). The issue occurs when a properly crafted request is sent to the server, causing the program to enter an infinite loop. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can result in a denial of service (DoS) condition. The attack can be executed by sending a specially crafted request to the server, which causes the program to enter an infinite loop, potentially making the service unavailable (CERT Advisory).

The vulnerability has been fixed in commit ddab283. Users should update to a version of lua-http that includes this commit. The fix handles EOF when bodyreadtype equals length, preventing the infinite draining loop when trying to shutdown a stream (GitHub Patch).