Applications using Thrift before version 0.14.0 would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
Applications using Thrift before version 0.14.0 would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
https://www.openwall.com/lists/oss-security/2021/02/11/2