#39993 [W&A-Low] node-fetch without response limit
Submitted on Feb 12th 2025 at 12:01:18 UTC by @riproprip for Audit Comp | Shardeum: Ancillaries III
Report ID: #39993
Report Type: Websites and Applications
Report severity: Low
Target: https://github.com/shardeum/archive-server/tree/itn4
Impacts:
Taking down the application/website
Description
Brief/Intro
The archiver uses node-fetch
without response size limits. This allows attackers to use up all the memory on the system until it crashes.
Vulnerability Details
node-fetch
should be called with a response limit. Since a limit is not supplied and node-fetch
allows compressed responses, the counterparty can return a bunch of compressed stuff to use very little bandwith/transfer volume/resources to crash a node.
Please note that while the attacker does not initiate the attack itself, the victim has to make contact with other archivers/nodes to function (giving attackers the option to strike).
Impact Details
Usually just the node process gets killed. In rare cases the OS also kills other processes.
References
This happens on multiple occasions throughout the code. A search for "fetch(" probably finds all the instances.
[1] Youtube video demonstrating on a 16GB memory system. https://youtu.be/cGheyyusKXc
Notes
Since this bug is similar in nature to 39395
it makes sense to go through triage with that one first. Before resolving this bug.
Proof of Concept
Proof of Concept
The POC is very similar to: 39395
steps
notes
Should your node have more than 16GB of RAM please use following link for the compressed_34.json. It works up till 256GB of RAM.
https://gist.githubusercontent.com/cki/bcc3d28f00c57db78b8916dcc0386462/raw/87f582828ebcb645207b5f1d546dc4b072ab017f/256gb_compressed.json
Was this helpful?