Node.js zlib Module DoS

January 27, 2018

Node.js is an open-source, cross-platform JavaScript run-time environment for executing JavaScript code server-side. A denial of service vulnerability exists in Node.js. When the zlib v1.2.9 component in Node.js handles the 8-bit Z_STREAM_ERROR error code, there is an logic error that ignored certain values, causing an unhandled exception. An attacker could cause denial of service by sending a certain crafted HTTP request via the WebSocket protocol. The affected version includes node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0.

zlib is a lossless compression library which is natively supported by Node.js. It can be called inside the code via a wrapper module:

const binding = process.binding('zlib');

The windowBit value in the zlib library could be assigned by a client request by sending the "server_max_window_bits=X" and "client_max_window_bits=X" values in the "Sec-WebSocket-Extensions" header.

Below is the logic of error exception handling in zlib. When the windowBit value is set to 8, it won't fall into any of the conditions of throwing an Z_STREAM_ERROR and leads to an unhandled exception.

In order to exploit this DoS vulnerability, an attack could simply send a HTTP request and set the windowBit to 8:

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13169: Node.js zlib Module DoS
  • WAF 1674: Node.js zlib Module DoS