GHSA-5pf6-cq2v-23ww: 
vulnerability analysis and mitigation

A high-severity Denial of Service (DoS) vulnerability (GHSA-5pf6-cq2v-23ww) was discovered in WhoDB's authentication middleware. The vulnerability affects all versions up to v0.43.0 of the github.com/clidey/whodb/core package. The issue allows any client to cause memory exhaustion by sending large request bodies, as the server reads the entire request body into memory without size limits (GitHub Advisory).

The vulnerability exists in the AuthMiddleware function within core/src/auth/auth.go. The middleware processes all API requests (/api/*) and reads the entire request body using io.ReadAll without size limits. The issue is compounded by several factors: a 10-minute timeout setting, high throttle limits (10000 concurrent requests, 1000 backlog), multiple copies of the request body being created during processing, and no per-client rate limiting. The vulnerability has received a CVSS v3.1 score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability allows any client to send arbitrarily large request bodies to the API endpoints. Due to multiple copies created during processing and lack of size limits, this can quickly exhaust server memory, potentially affecting all users of the system. The high concurrent request limits and long timeout make this particularly effective for DoS attacks. The vulnerability requires no authentication as it affects public API endpoints (GitHub Advisory).

Several fix considerations have been proposed: implementing request body size limits using http.MaxBytesReader, reducing the request timeout from 10 minutes, implementing per-client rate limiting, and considering streaming body processing instead of loading entirely into memory. A fix has been implemented in commit e8b608d that introduces a 1MB request body size limit and reduces the timeout to 30 seconds (GitHub Commit).