Node.js zlib Module DoS


Node.js is an open-source, cross-platform JavaScript run-time environment for executing JavaScript code server-side. A denial of service vulnerability exists in Node.js. When the zlib v1.2.9 component in Node.js handles the 8-bit Z_STREAM_ERROR error code, there is an logic error that ignored certain values, causing an unhandled exception. An attacker could cause denial of service by sending a certain crafted HTTP request via the WebSocket protocol. The affected version includes node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0.

zlib is a lossless compression library which is natively supported by Node.js. It can be called inside the code via a wrapper module:

const binding = process.binding('zlib');

The windowBit value in the zlib library could be assigned by a client request by sending the “server_max_window_bits=X” and “client_max_window_bits=X” values in the “Sec-WebSocket-Extensions” header.

Below is the logic of error exception handling in zlib. When the windowBit value is set to 8, it won’t fall into any of the conditions of throwing an Z_STREAM_ERROR and leads to an unhandled exception.

In order to exploit this DoS vulnerability, an attack could simply send a HTTP request and set the windowBit to 8:

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13169: Node.js zlib Module DoS
  • WAF 1674: Node.js zlib Module DoS
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.