Recursive URL Decoding Can Expose Servers to CPU-Draining Decode Bomb Attacks
A security concern known informally as a 'decode bomb' arises when server-side code loops URL decoding until a string stops changing, allowing attackers to submit deeply nested encoded payloads that force excessive processing cycles. A crafted string like %25252525252527 can require seven decode passes just to resolve a single character, multiplying CPU work per request. While a single such request poses little risk, repeated submissions can degrade server performance, particularly on resource-limited systems. The recommended mitigation is to cap the number of decode passes at a fixed limit, such as three, while still allowing early exit if the string stabilises sooner. Developers are also advised to audit how upstream components like web servers, reverse proxies, and frameworks already handle URL normalisation before adding custom decoding logic.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in