Node's new vulnerability you need to know about if you're processing user data — it could crash your server

Servers running React, Next.js, or using tools like Datadog are vulnerable to a new Denial of Service attack that was patched on January 13th. If you're processing user data, like we are, then your server could be at risk. Thankfully, HDA isn't using server-side rendering and is not affected. Do check if you are.

What's the Risk?

Someone can force your server to crash by making it process malicious data. This is a serious concern that can impact your operations and user experience.

How is it Triggered?

The attack is triggered when someone sends your server a JSON object with, for example, 50,000 layers of nesting. This overwhelming amount of data can lead to significant issues.

What's the Cause?

The root cause is "Stack Exhaustion." This occurs when recursive code calls itself too often and runs out of stack space. If this happens while also processing an async hook, the whole program terminates, skipping any error handling the developer has written.

How It Crashes Node Servers, and How They Fixed It

Async hooks are triggered each time your code performs any asynchronous operation (e.g., any server process). They're used in React Server Components, Next.js' request context tracking, and Application Performance Monitors like Datadog.

Combining async hooks with recursion is where we encounter a real problem.

In the V8 engine, any recursive code simply uses up more and more of the stack as it calls itself. When it runs out of stack space, we get an error, which can then be caught and handled—normally. However, async hooks change that. V8 wraps them in a "kFatal" context, meaning that if an error occurs while processing this async hook, it just terminates without trying to handle it.

Recursive asynchronous code creates a new Promise object with each recursive call. A new Promise means the async context has changed, which means we call all our async hooks again—every time. If the recursion continues, the call stack becomes layers of "your program code, which can handle errors fine," alternating with layers of "the async hook, which terminates your program on error." When we run out of stack space, we get an error, and how the program reacts depends on which layer we're in.

The fix adds a little more nuance to the async hook's "kFatal" context. It allows Stack Overflow errors (including Stack Exhaustion) to be passed back to the error handlers without triggering termination.

Understanding the Impact

It's essential to grasp the implications of this vulnerability. While it's not nearly as serious as December's vulnerabilities, it can still take down your web app. You need to be proactive in checking your systems.

What You Can Do

1. Update Your Node Version: Ensure you're using the latest version of Node.js. This is the simplest way to protect your server from known vulnerabilities.

   
   

2. Monitor Your Logs: Keep an eye on your server logs for any unusual activity. Early detection can help mitigate potential attacks.

   
   

3. Implement Rate Limiting: Consider implementing rate limiting on your APIs. This can help prevent abuse by limiting the number of requests a user can make in a given timeframe.

   
   

4. Test Your Application: Regularly test your application for vulnerabilities. Use tools and services that can simulate attacks to identify weaknesses.

   
   

5. Educate Your Team: Make sure your team understands the risks associated with asynchronous programming and how to write safe code.

   
   

Bottom Line: It's crucial to stay informed and vigilant. Check here if your version of Node is vulnerable!

Conclusion

In conclusion, while the recent Denial of Service attack may not be as severe as previous vulnerabilities, it still poses a risk. By understanding the mechanics behind it and taking proactive measures, you can safeguard your applications. Remember, your server's health is paramount, and staying updated is your best defense.