Security advisory: permessage-deflate-node

[James Coglan]

Hi everyone,

It has recently come to my attention that some changes to Node.js that shipped in April may result in the `permessage-deflate` npm package [1] becoming vulnerable to a denial-of-service attack. If you are running this package on any of these Node versions, please read on:

- v4.8.2 and above

- v6.10.2 and above

- v8.0.0 and above

These releases include a breaking change that mean some requests that permessage-deflate treats as valid will now result in the server crashing. I am still working on understanding these changes and what should be done about them, and so am not publishing the full details here.

The recommended mitigation in the short term is to add code to your Node servers and clients to prevent unhandled exceptions from crashing your processes, for example:

    process.on('uncaughtException', function(error) {

      // log the error

    })

Even with this mitigation, the bug means sockets can be made to fail to emit messages, and so may build up a backlog in their internal buffers. If you are concerned about this, I recommend disabling this extension entirely for the time being.

I hope to have more details and a long-term fix out as soon as possible, but please bear in mind I have limited spare time in which to do so.

[1]: https://www.npmjs.com/package/permessage-deflate