CVE-2022-4064 - Injection Vulnerability in Dalli’s Meta Protocol Handler – How it Happened and How to Fix It

Dalli is a popular high-performance Ruby client for Memcached, often used in production Ruby and Rails apps. On November 21st, 2022, a security issue was reported as CVE-2022-4064 (also identified as VDB-214026) that affects the Dalli source code. This vulnerability exposes applications to injections by mishandling meta commands within the meta_set function, specifically in the file: lib/dalli/protocol/meta/request_formatter.rb. In this post, I’ll break down the vulnerability, show how it works, demonstrate exploit code, and show you how to fix it for good.

What Actually Happened? (A Simple Breakdown)

Internally, Dalli added support for Meta Protocol operations. One method—self.meta_set—allowed data to be sent using the new meta commands to Memcached. However, user-supplied input wasn’t always sanitized properly. As a result, a malicious user could inject arbitrary data into these meta commands—potentially breaking the application logic or even executing unexpected actions.

The core issue was found in this snippet in lib/dalli/protocol/meta/request_formatter.rb

def self.meta_set(key, value, options = {})
  "ms #{key} #{value.length} ...\r\n#{value}\r\n"
end

The key and value aren’t properly sanitized. So, if an attacker controls either the key or value, they could add newlines or other special characters. This allows them to inject extra meta commands after the legitimate command.

Let’s see how a simple injection might look if the attacker controls key

# Suppose a user-supplied key:
malicious_key = "mykey\r\nms evilkey 4\r\nevil\r\n"

injection = Dalli::Protocol::Meta::RequestFormatter.meta_set(malicious_key, "test", {})
puts injection

Output

ms mykey
ms evilkey 4
evil
 4
test

> What Happened?
> Instead of just one key being set, the attacker manages to craft a meta_set call for their own key, “evilkey”. This is a classic injection.

Risk

An attacker with control over the key or value can exploit this to perform actions the server wasn’t expecting. In some setups, this can lead to data corruption, leaking sensitive cache keys, or in more advanced injections, even altering the behavior of Dalli clients or connected apps.

References and Original Disclosure

- CVE detail: https://nvd.nist.gov/vuln/detail/CVE-2022-4064

Patch commit:

48d594dae55934476fec61789e7a7c370ef50d
- Vulnerability database: VDB-214026

The Fix: How Did They Patch It?

In the patch, the maintainers sanitize the key and value to remove carriage returns, linefeeds, and other dangerous characters. Here’s an abridged look:

def sanitize(str)
  # Only allow safe ASCII characters
  str.gsub(/[\r\n\]/, '_')
end

def self.meta_set(key, value, options = {})
  key = sanitize(key)
  value = sanitize(value)
  "ms #{key} #{value.length} ...\r\n#{value}\r\n"
end

This way, even if the attacker submits a key with \r or \n, it just turns into an underscore and no longer manipulates the protocol.

Update Dalli Immediately!

Make sure you’re using a Dalli version after this commit.

Conclusion: Lessons Learned

This vulnerability reminds us that all input passed to protocol handlers must be sanitized, especially when dealing with low-level cache or storage backends. If you’re using Dalli, check your version now and patch as soon as possible. While the exploit is public, responsible action can make your application safe again.

Related Reading

- Official Patch Details
- NVD Entry for CVE-2022-4064
- Dalli Gem on RubyGems


If you have questions about Dalli, Memcached, or Ruby/Rails security, leave a comment or reach out on GitHub!

Timeline

Published on: 11/19/2022 19:15:00 UTC
Last modified on: 11/26/2022 03:22:00 UTC