Report was rewarded with $500 bug bounty: https://issuetracker.google.com/issues/182062672
Looks like https://pub.dev/ (https://github.com/dart-lang/pub-dev) is a subject to DoS attack.
Please consider a pubspec.yaml
which contains a YAML bomb. Once pub publish
is executed, the application is published to pub
packages registry.
The pub.dev
registry(google owned app engine) code is trying to load yaml
& cpu
utilization is killing performance. The CPU is going to the sky and the website is not responsive anymore.
Spin up the server:
Edit /app/lib/shared/configuration.dart
to change gcp
project to one you own and run:
dart bin/server.dart default
go to yaml-bomb
and run:
export PUB_HOSTED_URL=http://localhost:8080
pub publish
- CPU is going to the sky
pub.dev
is not responsive anymore ~> timeout ~> DoS
Please refer to screenshots
In addition to the report following images were shared: