undici WebSocket Client Denial-of-Service Vulnerability via Improper Compression Parameter Validation

A denial-of-service vulnerability has been identified in the undici WebSocket client, present in versions prior to 6.24.0 and 7.0.0 prior to 7.24.0. The issue arises from inadequate validation of the 'server_max_window_bits' parameter in the 'permessage-deflate' compression extension. When a WebSocket client connects to a server, it automatically offers support for permessage-deflate compression. A malicious server can exploit this by sending an out-of-range 'server_max_window_bits' value, which leads to a synchronous RangeError exception. This unhandled exception causes the Node.js process to terminate immediately.

Impact

Exploitation of this vulnerability causes a synchronous RangeError exception that is not caught, leading to the immediate termination of the Node.js process.

Reproduction

To reproduce this vulnerability, establish a WebSocket connection from the undici WebSocket client to a server that sends an invalid 'server_max_window_bits' value, outside the acceptable range of 8 to 15. The client will then attempt to create a zlib InflateRaw instance with the invalid value, causing an unhandled RangeError exception that crashes the process.

Remediation

Users can upgrade to undici versions 6.24.0 or 7.24.0 to address this vulnerability.