DOS in imgix CDN's image processing application by pixel flood

Description 

 Imgix through 2019-06-19 allows remote attackers to cause a denial of service (resource  consumption) by manipulating a small JPEG file to specify dimensions of 64250x64250 pixels, which is mishandled during an attempt to load the 'whole image' into memory.

The vulnerability I found in a private program where they were using imgix as cdn, when imgix try to process the crafted image it got DOS

Vulnerability Type

  Buffer Overflow
  Impact: Denial of Service

Vendor of Product

imgix https://www.imgix.com/

Affected Component 

image processing application and CDN

Attack Type 

Remote

Summary:

  To exploit I upload a image. I have an image of 5kb, 260x260 pixels.
  In the image itself I exchange the 260x260 values with 0xfafa x 0xfafa
  (so 64250x64250 pixels). Now service imgix CDN tries to convert the
  image once uploaded. By loading the 'whole image' into memory, it
  tries to allocate 4128062500 pixels into memory, flooding the memory
  and causing DoS.
  500 Internal Server Error I received with 55,000+ latency by image CDN
  imgix.

Image can be downloaded from here:

  https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/file-upload/malicious-images/lottapixel.jpg