Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Denial of service vulnerability in adapter-node

See original GitHub issue

Describe the bug

There is a remote denial of service vulnerability that allows attackers to crash the default web server for adapter-node.

Logs

The only logs I have are this:

May 22 22:36:08 sanipasse node[117756]: node:internal/process/promises:246
May 22 22:36:08 sanipasse node[117756]:           triggerUncaughtException(err, true /* fromPromise */);
May 22 22:36:08 sanipasse node[117756]:           ^
May 22 22:36:08 sanipasse node[117756]: Error: aborted
May 22 22:36:08 sanipasse node[117756]:     at connResetException (node:internal/errors:683:14)
May 22 22:36:08 sanipasse node[117756]:     at abortIncoming (node:_http_server:592:17)
May 22 22:36:08 sanipasse node[117756]:     at socketOnClose (node:_http_server:586:3)
May 22 22:36:08 sanipasse node[117756]:     at Socket.emit (node:events:377:35)
May 22 22:36:08 sanipasse node[117756]:     at TCP.<anonymous> (node:net:661:12) {
May 22 22:36:08 sanipasse node[117756]:   code: 'ECONNRESET'
May 22 22:36:08 sanipasse node[117756]: }
May 22 22:36:09 sanipasse systemd[1]: sanipasse.service: Main process exited, code=exited, status=1/FAILURE
May 22 22:36:09 sanipasse systemd[1]: sanipasse.service: Failed with result 'exit-code'.

To Reproduce

Run the default template sveltekit application with adapter-node on port 3000, then, from a terminal :

$ nc localhost 3000
POST /x HTTP/1.1
Content-Length: 1000
Content-Type: application/json

^C

Expected behavior

No one should be able to remotely crash the server. Whatever their payload, the sveltekit server should not crash, especially before entering user-defined code.

Stacktraces

node:internal/process/promises:246
           triggerUncaughtException(err, true /* fromPromise */);
          ^
 Error: aborted
    at connResetException (node:internal/errors:683:14)
    at abortIncoming (node:_http_server:592:17)
    at socketOnClose (node:_http_server:586:3)
    at Socket.emit (node:events:377:35)
    at TCP.<anonymous> (node:net:661:12) {

Information about your SvelteKit Installation:

kit 1.0.0-next.107
node v16.1.0
Your adapter : node

Severity

This is a severe security vulnerability which allows anyone on the internet to take down any SvelteKit server. I found this issue in my server logs, so there are actual people making these requests this in the wild. All that is needed to crash the server is a client that closes the connection early while they are sending a json payload.

Additional context

I’ll keep this issue updated if I manager to reproduce the crash myself.

Edit: I initially couldn’t reproduce the crash myself. I edited the issue with the reproduction once I managed to reproduce the issue.

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:5 (5 by maintainers)

Top GitHub Comments

3reactions

lovasoacommented, May 23, 2021

Looking a little deeper, it looks like adapter-node is using “polka” to handle requests, a framework which was last updated on npm 2 years ago, has just 200 commits on github, and seems to be maintained (not very actively) by a single person.

From a security point of view, this doesn’t look great.

1reaction

lovasoacommented, May 22, 2021

The problem is that neither adapter-node, nor polka itself catch the exception that may be thrown by getRawBody in

https://github.com/sveltejs/kit/blob/master/packages/adapter-node/src/server.js#L47