Back to Vector

Http Source Decompression Bomb.Security

changelog.d/http_source_decompression_bomb.security.md

0.57.0609 B
Original Source

HTTP-based sources (http_server, prometheus_pushgateway, prometheus_remote_write, heroku_logs, opentelemetry) now cap decompressed request bodies at 100 MiB. Previously, a single unauthenticated request carrying a compressed payload (e.g. a gzip bomb) could allocate unbounded memory and OOM-kill the Vector process. Decompressed payloads exceeding the cap are rejected with HTTP 413, as are requests whose declared Content-Length exceeds the same limit. The cap can be raised or lowered via --max-decompressed-size-bytes (or VECTOR_MAX_DECOMPRESSED_SIZE_BYTES).

authors: pront thomasqueirozb