#39993 [W&A-Low] node-fetch without response limit
Was this helpful?
Was this helpful?
Submitted on Feb 12th 2025 at 12:01:18 UTC by @riproprip for
Report ID: #39993
Report Type: Websites and Applications
Report severity: Low
Target: https://github.com/shardeum/archive-server/tree/itn4
Impacts:
Taking down the application/website
The archiver uses node-fetch
without response size limits. This allows attackers to use up all the memory on the system until it crashes.
node-fetch
should be called with a response limit. Since a limit is not supplied and node-fetch
allows compressed responses, the counterparty can return a bunch of compressed stuff to use very little bandwith/transfer volume/resources to crash a node.
Please note that while the attacker does not initiate the attack itself, the victim has to make contact with other archivers/nodes to function (giving attackers the option to strike).
Usually just the node process gets killed. In rare cases the OS also kills other processes.
This happens on multiple occasions throughout the code. A search for "fetch(" probably finds all the instances.
[1] Youtube video demonstrating on a 16GB memory system. https://youtu.be/cGheyyusKXc
Since this bug is similar in nature to 39395
it makes sense to go through triage with that one first. Before resolving this bug.
The POC is very similar to: 39395
Should your node have more than 16GB of RAM please use following link for the compressed_34.json. It works up till 256GB of RAM.
https://gist.githubusercontent.com/cki/bcc3d28f00c57db78b8916dcc0386462/raw/87f582828ebcb645207b5f1d546dc4b072ab017f/256gb_compressed.json