Impact
This vulnerability affects all users of the perseus deploy functionality who have not exported their sites to static files. If you are using the inbuilt Perseus server in production, there is a memory leak in Actix Web stemming from this upstream issue which can allow even a single user to cause the process to exhaust its memory on low-memory servers by continuously reloading the page. Note that this issue does not affect all Actix Web applications, but rather results from certain usage patterns which appear to be present in Perseus' server mechanics.
Patches
This vulnerability is addressed in all versions after Perseus v0.3.0-beta.21, which temporarily discontinues the use of perseus-actix-web (until the upstream bug is fixed) and switches to perseus-warp instead, which utilizes Warp.
Additionally, as of Perseus v0.3.0-beta.22, the Actix Web integration has been upgraded to use the latest unstable beta version of Actix Web, which appears to partially resolve this issue (the severity of the memory leak is reduced). However, due to the instability of this version, the default integration will remain Warp for now, and a warning will appear if you attempt to use the Actix Web integration.
Using the Actix Web integration
If the instability of the latest beta version of Actix Web is not a concern for you, you can use this integration by adding -i actix-web to perseus serve and the like. This will print a warning about instability, and will then operate with the beta version. Please report any failures in functionality that are not security-related to the Perseus team by opening an issue on the repository.
Note however that switching to the Warp integration requires no code changes whatsoever unless you've ejected, so there are very few disadvantages to this change.
Workarounds
Due to significant infrastructural changes within other Perseus packages that were needed to support Warp, this integration is not backward-compatible with any previous version of Perseus, meaning there are no easily feasible workarounds. If you're only in development though, this vulnerability is irrelevant until you push to production.
CVE Status
Due to GitHub's requirements, a CVE can't be issued for this security advisory because the issue is technically one with Actix Web (though it's only in combination with certain mechanics in the Perseus server that this problem arises).
References
See this upstream issue in Actix Web.
For more information
If you have any questions or comments about this advisory:
Impact
This vulnerability affects all users of the
perseus deployfunctionality who have not exported their sites to static files. If you are using the inbuilt Perseus server in production, there is a memory leak in Actix Web stemming from this upstream issue which can allow even a single user to cause the process to exhaust its memory on low-memory servers by continuously reloading the page. Note that this issue does not affect all Actix Web applications, but rather results from certain usage patterns which appear to be present in Perseus' server mechanics.Patches
This vulnerability is addressed in all versions after Perseus
v0.3.0-beta.21, which temporarily discontinues the use ofperseus-actix-web(until the upstream bug is fixed) and switches toperseus-warpinstead, which utilizes Warp.Additionally, as of Perseus
v0.3.0-beta.22, the Actix Web integration has been upgraded to use the latest unstable beta version of Actix Web, which appears to partially resolve this issue (the severity of the memory leak is reduced). However, due to the instability of this version, the default integration will remain Warp for now, and a warning will appear if you attempt to use the Actix Web integration.Using the Actix Web integration
If the instability of the latest beta version of Actix Web is not a concern for you, you can use this integration by adding
-i actix-webtoperseus serveand the like. This will print a warning about instability, and will then operate with the beta version. Please report any failures in functionality that are not security-related to the Perseus team by opening an issue on the repository.Note however that switching to the Warp integration requires no code changes whatsoever unless you've ejected, so there are very few disadvantages to this change.
Workarounds
Due to significant infrastructural changes within other Perseus packages that were needed to support Warp, this integration is not backward-compatible with any previous version of Perseus, meaning there are no easily feasible workarounds. If you're only in development though, this vulnerability is irrelevant until you push to production.
CVE Status
Due to GitHub's requirements, a CVE can't be issued for this security advisory because the issue is technically one with Actix Web (though it's only in combination with certain mechanics in the Perseus server that this problem arises).
References
See this upstream issue in Actix Web.
For more information
If you have any questions or comments about this advisory: