CVE-2024-36403
📋 TL;DR
Matrix Media Repo (MMR) before version 1.3.5 is vulnerable to a disk fill attack where unauthenticated attackers can force it to download and cache large amounts of remote media files. This affects instances using file-backed storage or self-hosted S3 storage, causing denial of service when disks fill up, while cloud S3 users face high service fees. The vulnerability stems from unbounded disk consumption without proper rate limiting.
💻 Affected Systems
- Matrix Media Repo (MMR)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for authenticated users unable to upload media due to filled disk, or exorbitant cloud storage fees leading to financial impact.
Likely Case
Degraded service performance and potential temporary denial of service for media uploads until disk space is cleared.
If Mitigated
Limited impact with rate limiting in place, though still vulnerable to sustained attacks if not fully patched.
🎯 Exploit Status
Exploitation requires no authentication and minimal technical skill, making it easily weaponizable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.5
Vendor Advisory: https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-vc2m-hw89-qjxf
Restart Required: Yes
Instructions:
1. Update MMR to version 1.3.5 or later. 2. Ensure reverse proxy populates X-Forwarded-For header to avoid misapplying rate limits. 3. Restart MMR service.
🔧 Temporary Workarounds
Implement harsh rate limits
allConfigure aggressive rate limiting on media download requests to reduce data consumption.
# Configure in MMR settings or via reverse proxy (e.g., nginx rate limiting)
Reduce maximum file size
allLower the maximum allowed file size for media downloads to limit attack impact.
# Set in MMR configuration: maxFileSizeBytes
🧯 If You Can't Patch
- Implement network-level rate limiting at reverse proxy or firewall to restrict unauthenticated requests.
- Monitor disk usage and cloud storage costs closely for anomalies, with alerts for spikes.
🔍 How to Verify
Check if Vulnerable:
Check MMR version; if below 1.3.5, it is vulnerable. Review configuration for storage type (file-backed or self-hosted S3).Check Version:
# Run: matrix-media-repo --version or check service logs/configurationVerify Fix Applied:
Confirm MMR version is 1.3.5 or higher and that X-Forwarded-For header is properly set by reverse proxy.📡 Detection & Monitoring
Log Indicators:
- Unusual spikes in media download requests from single IPs
- High disk usage or storage cost alerts
Network Indicators:
- Excessive outbound traffic to remote media sources
- Pattern of repeated download requests from unauthenticated sources
SIEM Query:
source="mmr.log" AND (download_count > threshold OR remote_media_requests FROM ip)