Meteor ReDoS Vulnerability in DDP Server IP Address Parsing

A regular expression denial-of-service (ReDoS) vulnerability has been identified in Meteor versions through 3.2.1. The issue resides in the DDP server's 'livedata_server.js' file, specifically within the 'Object.assign' function. The vulnerability is triggered by manipulating the 'x-forwarded-for' header, which leads to inefficient regular expression processing. This can cause excessive CPU usage, disrupting server availability. The vulnerability can be exploited remotely without authentication, particularly when the 'HTTP_FORWARDED_COUNT' environment variable is set to an integer greater than 0.

Impact

Exploitation of this vulnerability causes high CPU consumption, leading to a denial-of-service condition where the server becomes unresponsive.

Reproduction

To reproduce this vulnerability, set the 'HTTP_FORWARDED_COUNT' environment variable on a Meteor server to a value greater than 0. Then, initiate a DDP connection while including an 'x-forwarded-for' header that contains a large number of space characters followed by a non-comma character. This will create a scenario where the vulnerable regular expression can be exploited, causing the server to use excessive CPU resources and become unresponsive.

Remediation

Upgrade to Meteor version 3.2.2, which addresses this vulnerability by improving the 'x-forwarded-for' header parsing to prevent exploitation. The updated version is available on the official Meteor GitHub repository.