CVE-2023-3782 Overview
CVE-2023-3782 is a Denial of Service (DoS) vulnerability affecting the OkHttp client library when configured with the BrotliInterceptor. The vulnerability allows an attacker to crash or exhaust resources of an OkHttp client application by delivering a Brotli-compressed "zip-bomb" payload. This can occur when a user connects to a malicious web server, or when an attacker performs a Man-in-the-Middle (MitM) attack to inject the malicious compressed response into legitimate HTTP traffic.
Critical Impact
Applications using okhttp-brotli are vulnerable to resource exhaustion attacks that can render the client application unresponsive or crash entirely when processing specially crafted Brotli-compressed HTTP responses.
Affected Products
- squareup okhttp-brotli (all versions prior to patch)
Discovery Timeline
- 2023-07-19 - CVE-2023-3782 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-3782
Vulnerability Analysis
This vulnerability (CWE-400: Uncontrolled Resource Consumption) exploits the decompression behavior of the BrotliInterceptor in the OkHttp library. When the interceptor processes an HTTP response with Brotli encoding, it decompresses the content without adequate safeguards against decompression bombs (also known as "zip bombs").
A Brotli zip-bomb is a small compressed payload that expands to an extremely large size when decompressed. When delivered to a vulnerable OkHttp client, the decompression process consumes excessive memory and CPU resources, potentially leading to application crashes, out-of-memory errors, or system unresponsiveness.
The attack requires network access and can be delivered via two primary vectors: a malicious server directly serving the compressed payload, or a MitM attacker injecting the payload into otherwise legitimate HTTP responses.
Root Cause
The root cause lies in the BrotliInterceptor component of the okhttp-brotli library, which does not implement adequate bounds checking or resource limits during the decompression of Brotli-encoded HTTP response bodies. Without limits on the decompression ratio or output size, a highly compressed malicious payload can expand to consume all available memory on the client system.
Attack Vector
The attack vector is network-based and does not require authentication or user interaction in the technical sense. An attacker can exploit this vulnerability by:
- Hosting a malicious web server that responds with Brotli-compressed zip-bomb payloads when an OkHttp client connects
- Performing a Man-in-the-Middle attack on the network path to intercept legitimate HTTP responses and inject malicious Brotli-compressed content
- Serving the malicious compressed payload to any client application using the vulnerable BrotliInterceptor
The vulnerability is exploited when the OkHttp client automatically decompresses the response body, triggering excessive resource consumption. The attack requires high complexity as MitM scenarios need network position, though direct malicious server attacks are simpler to execute.
Detection Methods for CVE-2023-3782
Indicators of Compromise
- Unexpected memory exhaustion or out-of-memory errors in applications using OkHttp with Brotli support
- Application crashes or hangs when processing HTTP responses from untrusted sources
- Abnormally small HTTP responses with Brotli encoding that cause disproportionate resource usage
- Network traffic containing suspicious Brotli-encoded responses with unusually high compression ratios
Detection Strategies
- Monitor application memory usage patterns for sudden spikes during HTTP response processing
- Implement logging for Brotli decompression operations to identify abnormal expansion ratios
- Use application performance monitoring (APM) tools to detect resource exhaustion patterns
- Review HTTP response headers for Content-Encoding: br from untrusted or unexpected sources
Monitoring Recommendations
- Configure alerting for abnormal memory consumption in client applications using OkHttp
- Monitor for application restarts or crashes that correlate with HTTP request activity
- Track decompression operations and flag responses with extreme compression ratios
- Implement network-level monitoring to identify potential MitM attack indicators
How to Mitigate CVE-2023-3782
Immediate Actions Required
- Inventory all applications using the squareup:okhttp-brotli dependency
- Update to the latest patched version of okhttp-brotli when available
- Consider temporarily disabling BrotliInterceptor in critical applications until patched
- Implement network-level protections to reduce MitM attack risk (TLS, certificate pinning)
Patch Information
Square has acknowledged this vulnerability through the GitHub Issue Report. Review the issue tracker for the latest patch information and updated library versions. For detailed technical analysis, refer to the JFrog Vulnerability Analysis.
Administrators should update their dependency management configurations (Maven, Gradle) to pull the latest okhttp-brotli version once the fix is released. Ensure all build pipelines fetch the updated library.
Workarounds
- Remove or disable the BrotliInterceptor from OkHttp client configurations until a patch is applied
- Implement custom response body size limits before decompression occurs
- Use application-level timeouts and resource limits to bound decompression operations
- Restrict connections to trusted servers only and enforce strict TLS certificate validation to mitigate MitM scenarios
- Consider implementing a custom interceptor that validates compressed response sizes before decompression
# Gradle dependency update example (when patch is available)
# Update your build.gradle to use the patched version
implementation 'com.squareup.okhttp3:okhttp-brotli:PATCHED_VERSION'
# Verify the installed version
./gradlew dependencies | grep okhttp-brotli
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
