This could be done by counting the number of attachments (including text parts) and reacting if the attachment count is over 1000, or so. Haraka is another affected library which has been used by Craigslist, Fort Anti-Spam and ThreatWave. The mailparser library, for example, receives as many as 249,400 monthly downloads and is used as a dependency by 214 other projects including Sendgrid. The vulnerability is easy to explain, easy to exploit, and affects thousands of systems. So, does your Node.js server parse email? Do you know which email parser are you using? Before you check, let’s see who this affects.īefore we continue, here’s the obligitary XKCD.Ī Denial of Service Shouldn’t be this Easy, Right? Memory usage will explode to 2 GB or more due to the internal objects created for each attachment, which is typically enough to bring down the entire server with an out-of-memory crash. When the email is sent to a vulnerable email server, it will freeze the Node.js event loop for several seconds due to the sheer number of attachments.
The vulnerability can be exploited by packing a few million empty attachments in a email that will bypass typical email size limits (usually 20 MB or less). Five of the most popular email parsers for Node.js have recently been found to be susceptible to a trivial denial of service (DoS) vulnerability.
0 kommentar(er)
