RabbitMQ Java client's Lack of Message Size Limitation leads to Remote DoS Attack
Summary maxBodyLebgth was not used when receiving Message objects. Attackers could just send a very large Message causing a memory overflow and triggering an OOM Error. PoC RbbitMQ Use RabbitMQ 3.11.16 as MQ and specify Message Body size 512M (here it only needs to be larger than the Consumer memory) Start RabbitMQ Producer Build a String of length 256M and send it to Consumer package org.springframework.amqp.helloworld; import org.springframework.amqp.core.AmqpTemplate; import org.springframework.context.ApplicationContext; …