Textream WebSocket Server Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Textream macOS teleprompter application, prior to version 1.5.1. The issue arises in the 'DirectorServer' WebSocket server, which does not limit concurrent connections. This flaw, combined with a broadcast timer that sends state updates to all connected clients every 100 milliseconds, allows an attacker to overwhelm the server with connections. The excessive load on CPU and memory causes the Textream application to freeze and crash during live sessions.

Impact

Exploitation of this vulnerability leads to high resource consumption, causing the Textream application to become unresponsive and crash, disrupting any active live sessions.

Reproduction

The vulnerability can be reproduced by flooding the 'DirectorServer' WebSocket server with a high number of connections. This can be done using a browser's developer console or a Node.js script that opens thousands of WebSocket connections to the server. Once the connections are established, the Textream application will quickly become unresponsive and eventually crash.

Remediation

Users can update to Textream version 1.5.1, which addresses this vulnerability by enforcing a connection limit and offloading the broadcast process to a background queue.