CVE-2017-16129 in HTTP Client Module
Summary
by MITRE
The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/19/2025
The vulnerability identified as CVE-2017-16129 affects the superagent HTTP client module, which is widely used in Node.js applications for making HTTP requests. This security flaw represents a critical weakness in how the client handles compressed response data, specifically exposing it to ZIP bomb attack vectors that can lead to significant system resource exhaustion. The vulnerability stems from inadequate handling of compressed content within the HTTP response processing pipeline, where the client fails to implement proper safeguards against decompression bombs that can inflate small compressed files into massive uncompressed data payloads.
The technical implementation of this vulnerability occurs when superagent receives an HTTP response containing compressed content such as gzip or deflate encoded data. The flaw lies in the client's failure to establish reasonable limits on decompression operations, allowing attackers to craft malicious responses that appear small in size but expand exponentially upon decompression. When the client attempts to process such responses, it consumes disproportionate amounts of memory and CPU resources as it iteratively decompresses the inflated content. This behavior creates a scenario where a single HTTP request can trigger resource exhaustion conditions that can overwhelm the target system's memory management and processing capabilities.
From an operational impact perspective, this vulnerability enables attackers to execute successful denial-of-service attacks against applications using superagent by simply directing requests to malicious endpoints that return carefully crafted ZIP bomb responses. The attacker's control over the URL being requested provides them with direct leverage to exploit this weakness, making it particularly dangerous in environments where user input influences HTTP request destinations. The resource consumption patterns associated with this vulnerability can lead to application crashes, system instability, and complete service unavailability, especially when the affected applications lack proper resource monitoring and protection mechanisms.
The vulnerability maps directly to CWE-400, which specifically addresses "Uncontrolled Resource Consumption" in software systems, and aligns with ATT&CK technique T1499.004 for "Endpoint Denial of Service" within the context of resource exhaustion attacks. Organizations using superagent are particularly vulnerable because the module's widespread adoption means that many applications across different systems and platforms could be affected simultaneously. The exploitability of this vulnerability is relatively straightforward as attackers only need to control the target URL, making it accessible to threat actors with minimal technical sophistication. Security teams should consider implementing network-level restrictions and content inspection mechanisms to detect and prevent such attacks, while also ensuring that all applications using superagent are updated to versions that include proper decompression limit enforcement and resource monitoring capabilities.
Mitigation strategies should focus on implementing strict decompression limits within the HTTP client configuration, establishing maximum response size thresholds, and deploying monitoring systems that can detect unusual resource consumption patterns during HTTP operations. Additionally, organizations should consider implementing network segmentation and access controls to limit exposure to potentially malicious endpoints, while also ensuring that all dependencies are regularly updated to address known vulnerabilities. The implementation of proper input validation and sanitization measures can further reduce the risk of exploitation by preventing untrusted URLs from being used in HTTP requests without proper verification and authorization checks.