elixir-nodejs Cross-User Data Leakage Vulnerability

A cross-user data leakage vulnerability has been identified in elixir-nodejs versions prior to 3.1.4. This vulnerability arises from a race condition in the worker protocol, where the lack of proper request-response correlation allows for 'stale responses' to be sent to unrelated callers. In high-throughput environments processing sensitive user data, such as personal information, authentication tokens, or private records, a timeout or high concurrency can cause data belonging to one user to be inadvertently disclosed to another. This unauthorized information disclosure can be challenging to trace, as the application may not generate an error but instead provide seemingly valid yet incorrect private data to the wrong session.

Impact

Exploitation of this vulnerability can lead to unauthorized information disclosure, allowing one user to access sensitive data belonging to another user.

Reproduction

The vulnerability can be reproduced by invoking the NodeJS.call function in quick succession, causing some calls to time out. The test issue #100 on the elixir-nodejs repository demonstrates this problem. After a timeout, the next call can receive a response intended for the previous one, creating an off-by-one error in the data sequence.

Remediation

Users can upgrade to elixir-nodejs version 3.1.4, which addresses this vulnerability by implementing request-response correlation to prevent data cross-contamination.