Denial of Service in chatwoot/chatwoot

Valid

Reported on

Dec 6th 2021


The extract_reply function (https://github.com/chatwoot/chatwoot/blob/a0ffefad717b632269883863c27242bb97d3b66d/app/presenters/mail_presenter.rb#L105) is highly inefficient on HTML emails. A legitimate LinkedIn email has 20kb of HTML content which takes a minute or two to process through that function, and on the SaaS site caused undefined behavior such as these emails being delivered with a long delay or multiple times (probably as a result of the Sidekiq worker crashing). An attacker would be able to exploit this to clog up all the workers on the SaaS platform and degrade queue-dependent functionality for everyone.

As a solution tweaking the regexes would work but I suggest scrapping the "homemade" approach and instead using the 'html2text' gem to convert to text and then running the text through the 'email_reply_parser' gem (used by GitHub themselves) to extract the reply out of the text content. I have implemented this solution on my local version and the problem goes away.

I can provide the specific payload that triggered the bug but honestly this does not require any malicious activity, a legitimate LinkedIn notification email triggered it so I'm pretty sure you can just take any random HTML page in the 10kb range as a test.

Regards.

We are processing your report and will contact the chatwoot team within 24 hours. 10 months ago
Andre Borie
10 months ago

Researcher


Note that this does not require any authentication as this code is used for parsing incoming emails.

We have contacted a member of the chatwoot team and are waiting to hear back 10 months ago
Sojan Jose
9 months ago

Maintainer


Hey andre, Thanks for reporting. We will take a look and get back to you

Tejaswini Chile validated this vulnerability 9 months ago
Andre Borie has been awarded the disclosure bounty
The fix bounty is now up for grabs
Tejaswini Chile confirmed that a fix has been merged on 44486f a month ago
Tejaswini Chile has been awarded the fix bounty
to join this conversation