GHSA-7rqc-ff8m-7j23

Summary

A Denial of Service (DoS) vulnerability allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (/signalk/v1/access/requests). This causes a "JavaScript heap out of memory" error due to unbounded in-memory storage of request objects.

Details

The vulnerability is caused by a lack of rate limiting and improper memory management for incoming access requests.

Vulnerable Code Analysis:

1. In-Memory Storage: In src/requestResponse.js, requests are stored in a simple JavaScript object:

   const requests = {}
   

2. Unbounded Growth: The createRequest function adds new requests to this object without checking the current size or count of existing requests.
3. Infrequent Pruning: The pruneRequests function, which removes old requests, runs only once every 15 minutes (pruneIntervalRate).
4. No Rate Limiting: The endpoint /signalk/v1/access/requests accepts POST requests from any client without any rate limiting or authentication (by design, as it's for initial access requests).

Exploit Scenario:

1. An attacker sends a large number of POST requests (e.g., 20,000+) or requests with large payloads to /signalk/v1/access/requests.
2. The server stores every request in the requests object in the Node.js heap.
3. The heap memory usage spikes rapidly.
4. The Node.js process hits its memory limit (default ~1.5GB) and crashes with FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory.

PoC

The following Python script reproduces the crash by flooding the server with requests containing 100KB payloads.

import urllib.request
import json
import threading
import time

# Target Configuration
TARGET_URL = "http://localhost:3000/signalk/v1/access/requests"
PAYLOAD_SIZE_MB = 0.1  # 100 KB per request
NUM_REQUESTS = 20000   # Sufficient to exhaust heap
CONCURRENCY = 50

# Generate a large...