Hi everyone,
It has recently come to my attention that some changes to Node.js that
shipped in April may result in the `permessage-deflate` npm package [1]
becoming vulnerable to a denial-of-service attack. If you are running this
package on any of these Node versions, please read on:
- v4.8.2 and above
- v6.10.2 and above
- v8.0.0 and above
These releases include a breaking change that mean some requests that
permessage-deflate treats as valid will now result in the server crashing.
I am still working on understanding these changes and what should be done
about them, and so am not publishing the full details here.
The recommended mitigation in the short term is to add code to your Node
servers and clients to prevent unhandled exceptions from crashing your
processes, for example:
process.on('uncaughtException', function(error) {
// log the error
})
Even with this mitigation, the bug means sockets can be made to fail to
emit messages, and so may build up a backlog in their internal buffers. If
you are concerned about this, I recommend disabling this extension entirely
for the time being.
I hope to have more details and a long-term fix out as soon as possible,
but please bear in mind I have limited spare time in which to do so.
[1]: https://www.npmjs.com/package/permessage-deflate
--
James Coglan
http://jcoglan.com
--
Job board: http://jobs.nodejs.org/
New group rules:
https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups
"nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/nodejs/CALm1c-FdWY6Mx5d-n2bm6ds_eXE6hxNZZ2RfgkQ_w9nM4tZ7CA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
