-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Denial of service vulnerability in adapter-node #1523
Comments
Looking a little deeper, it looks like adapter-node is using "polka" to handle requests, a framework which was last updated on npm 2 years ago, has just 200 commits on github, and seems to be maintained (not very actively) by a single person. From a security point of view, this doesn't look great. |
The problem is that neither adapter-node, nor polka itself catch the exception that may be thrown by getRawBody in https://github.com/sveltejs/kit/blob/master/packages/adapter-node/src/server.js#L47 |
1.0.0-next.14 was added to npm just 2 months ago |
This one is not stable. The latest stable version is 0.5.2, published 2 years ago |
next.14 is the version currently being used by the Node adapter, not the two-year-old 0.5.2. |
Describe the bug
There is a remote denial of service vulnerability that allows attackers to crash the default web server for adapter-node.
Logs
The only logs I have are this:
To Reproduce
Run the default template sveltekit application with adapter-node on port 3000, then, from a terminal :
Expected behavior
No one should be able to remotely crash the server.
Whatever their payload, the sveltekit server should not crash, especially before entering user-defined code.
Stacktraces
Information about your SvelteKit Installation:
Severity
This is a severe security vulnerability which allows anyone on the internet to take down any SvelteKit server.
I found this issue in my server logs, so there are actual people making these requests this in the wild.
All that is needed to crash the server is a client that closes the connection early while they are sending a json payload.
Additional context
I'll keep this issue updated if I manager to reproduce the crash myself.
Edit: I initially couldn't reproduce the crash myself. I edited the issue with the reproduction once I managed to reproduce the issue.
The text was updated successfully, but these errors were encountered: