Signal K Server Denial-of-Service Vulnerability via Unauthenticated Access Request Flooding

A denial-of-service vulnerability has been identified in Signal K Server versions prior to 2.19.0. This vulnerability allows an unauthenticated attacker to crash the server by flooding the access request endpoint with a large number of requests. The unbounded in-memory storage of these request objects leads to a 'JavaScript heap out of memory' error, causing the server to crash. The vulnerability arises from a lack of rate limiting and improper memory management for incoming access requests.

Impact

Exploitation of this vulnerability leads to a verified denial-of-service condition, causing the Node.js process to crash after exhausting available memory. This disruption requires a manual restart of the server, causing downtime for the application.

Reproduction

The vulnerability can be reproduced by sending a high volume of POST requests to the '/signalk/v1/access/requests' endpoint. Each request should include a large payload, such as 100KB, to accelerate memory exhaustion. This can be automated with a Python script that simulates the attack by flooding the server with these heavy requests, taking advantage of the lack of authentication and rate limiting on the endpoint.

Remediation

Users are advised to update to Signal K Server version 2.19.0 or later, where this vulnerability has been patched. Additionally, implementing rate limiting on the access request endpoint and enforcing strict limits on request payload sizes can help mitigate this issue.