Issue AA: Unbounded Loading of Pending Welcomes Enables Memory-Exhaustion Denial of Service #70
Description
Location
mdk-sqlite-storage/src/welcomes.rs#L79
mdk-sqlite-storage/src/groups.rs#L25
mdk-sqlite-storage/src/groups.rs#L127
mdk-sqlite-storage/src/groups.rs#L167
Synopsis
The function pending_welcomes queries all rows with state equal to "pending" without limits and deserializes them, which allows unbounded processing that may cause memory exhaustion or stalls.
Impact
Medium.
An attacker can deny service by exhausting heap memory and CPU, affecting availability of the process and dependent components.
Feasibility
Medium.
An attacker who can create many pending entries and trigger the code path that calls the function pending_welcomes can perform the attack over standard application interfaces.
Severity
Medium.
Preconditions
For this issue to occur, the following must apply:
- The attacker must be able to create or cause creation of many rows with the column state set to "pending";
- A request handler, job, or endpoint must call the function pending_welcomes(); and
- The database and service configuration must not impose quotas, per-actor limits, or row-level time-to-live that prevent unbounded growth.
Technical Details
The function pending_welcomes executes a query equivalent to SELECT * FROM welcomes WHERE state = 'pending', materializes the full result set in memory, and performs JSON deserialization and RelayUrl parsing for each row. Processing scales with the total number of pending rows, which drives unbounded heap allocation and CPU use, degrading throughput and potentially terminating the process. Similar unbounded reads exist in the functions all_groups, messages, and group_relays in the file groups.rs, although inflating those tables is more difficult.
An exploit consists of creating a large number of pending entries, then invoking any operation that calls the function pending_welcomes to trigger repeated full deserialization. If the interface is unauthenticated or low cost, automated requests can sustain a denial of service.
Remediation
We recommend replacing the unbounded query in the function pending_welcomes() with paginated access using ORDER BY and LIMIT, processing rows in fixed-size batches. We also suggest applying the same bounded pattern in the functions all_groups, messages, and group_relays.
Status
Reported.