Denial of service vulnerability in adapter-node

[lovasoa]

Describe the bug

There is a remote denial of service vulnerability that allows attackers to crash the default web server for adapter-node.

Logs

The only logs I have are this:

May 22 22:36:08 sanipasse node[117756]: node:internal/process/promises:246
May 22 22:36:08 sanipasse node[117756]:           triggerUncaughtException(err, true /* fromPromise */);
May 22 22:36:08 sanipasse node[117756]:           ^
May 22 22:36:08 sanipasse node[117756]: Error: aborted
May 22 22:36:08 sanipasse node[117756]:     at connResetException (node:internal/errors:683:14)
May 22 22:36:08 sanipasse node[117756]:     at abortIncoming (node:_http_server:592:17)
May 22 22:36:08 sanipasse node[117756]:     at socketOnClose (node:_http_server:586:3)
May 22 22:36:08 sanipasse node[117756]:     at Socket.emit (node:events:377:35)
May 22 22:36:08 sanipasse node[117756]:     at TCP.<anonymous> (node:net:661:12) {
May 22 22:36:08 sanipasse node[117756]:   code: 'ECONNRESET'
May 22 22:36:08 sanipasse node[117756]: }
May 22 22:36:09 sanipasse systemd[1]: sanipasse.service: Main process exited, code=exited, status=1/FAILURE
May 22 22:36:09 sanipasse systemd[1]: sanipasse.service: Failed with result 'exit-code'.

To Reproduce

Run the default template sveltekit application with adapter-node on port 3000, then, from a terminal :

$ nc localhost 3000
POST /x HTTP/1.1
Content-Length: 1000
Content-Type: application/json

^C

Expected behavior

No one should be able to remotely crash the server.
Whatever their payload, the sveltekit server should not crash, especially before entering user-defined code.

Stacktraces

node:internal/process/promises:246
           triggerUncaughtException(err, true /* fromPromise */);
          ^
 Error: aborted
    at connResetException (node:internal/errors:683:14)
    at abortIncoming (node:_http_server:592:17)
    at socketOnClose (node:_http_server:586:3)
    at Socket.emit (node:events:377:35)
    at TCP.<anonymous> (node:net:661:12) {

Information about your SvelteKit Installation:

• kit 1.0.0-next.107
• node v16.1.0
• Your adapter : node

Severity

This is a severe security vulnerability which allows anyone on the internet to take down any SvelteKit server.
I found this issue in my server logs, so there are actual people making these requests this in the wild.
All that is needed to crash the server is a client that closes the connection early while they are sending a json payload.

Additional context

I'll keep this issue updated if I manager to reproduce the crash myself.

Edit: I initially couldn't reproduce the crash myself. I edited the issue with the reproduction once I managed to reproduce the issue.

[lovasoa]

Looking a little deeper, it looks like adapter-node is using "polka" to handle requests, a framework which was last updated on npm 2 years ago, has just 200 commits on github, and seems to be maintained (not very actively) by a single person.

From a security point of view, this doesn't look great.

[lovasoa]

The problem is that neither adapter-node, nor polka itself catch the exception that may be thrown by getRawBody in

https://github.com/sveltejs/kit/blob/master/packages/adapter-node/src/server.js#L47

[benmccann]

a framework which was last updated on npm 2 years ago

1.0.0-next.14 was added to npm just 2 months ago

[lovasoa]

This one is not stable. The latest stable version is 0.5.2, published 2 years ago

[Conduitry]

next.14 is the version currently being used by the Node adapter, not the two-year-old 0.5.2.