CVE-2024-36403

Name of the Vulnerable Software and Affected Versions: Matrix Media Repo versions prior to 1.3.5

Description: The issue allows an unauthenticated adversary to induce the system to download and cache large amounts of remote media files, resulting in unbounded disk consumption. This can lead to a denial of service when the disk is full, as authenticated users will be unable to upload new media. For instances using cloud-based S3 storage, this could result in high service fees instead of a denial of service. The typical operating environment of Matrix Media Repo uses S3-like storage as a backend, with file-backed store as an alternative option, making instances using a file-backed store or those self-hosting an S3 storage system vulnerable to a disk fill attack.

Recommendations: For versions prior to 1.3.5, update to version 1.3.5 or later to introduce a new default-on "leaky bucket" rate limit, which reduces the amount of data a user can request at a time. Operators should note that the leaky bucket implementation requires the IP address associated with the request to be forwarded, to avoid mistakenly applying the rate limit to the reverse proxy instead. To avoid this issue, the reverse proxy should populate the X-Forwarded-For header when sending the request to Matrix Media Repo. As a temporary workaround, consider lowering the maximum file size allowed and implement harsh rate limits, though this can still lead to a large amount of data to be downloaded.