Oak Middleware Framework Denial-of-Service Vulnerability via Header Manipulation

A denial-of-service vulnerability has been identified in the Oak middleware framework, affecting versions 17.1.5 and prior. The issue arises when the 'x-forwarded-proto' or 'x-forwarded-for' headers are manipulated with specially crafted values, leading to a significant slowdown of the Oak server. This vulnerability is present in environments where Oak is used as a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers, and Bun.

Impact

Exploitation of this vulnerability can cause a noticeable degradation in server performance, with response times significantly increased. This slowdown can be measured in milliseconds for normal header values, compared to much longer times when the vulnerability is exploited, demonstrating the impact on server availability.

Reproduction

The vulnerability can be reproduced by sending HTTP requests to an Oak server with crafted 'x-forwarded-proto' or 'x-forwarded-for' header values. This can be done using a Deno script that sets these headers with values designed to mimic worst-case scenarios, such as long strings or multiple IP addresses separated by commas. The server can be set up to log the time taken to process each request, showing the impact of the header manipulation.

Remediation

Users can upgrade to Oak version 17.1.6 or later, where this vulnerability has been addressed.