Intel

AIKIDO-2026-185433

thrift is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

59

Medium Risk

This Affects:

JSthrift
0.7.0 - 0.23.0
Fixed in 0.24.0
Are you affected? Scan for Free

TL;DR

The Node.js server transport receivers in the thrift package accumulate incoming bytes without enforcing a maximum message or frame size and without rejecting negative frame sizes. TFramedTransport.receiver reads an attacker-controlled 32-bit frame length and keeps concatenating the residual buffer on every packet, so a remote peer can force the server to buffer unbounded data and repeatedly recopy the growing buffer. This lets an unauthenticated client exhaust memory and CPU and take down a Node.js Thrift server. The fix applies a default receive limit consistent with the maxMessageSize/maxFrameSize used by other Thrift libraries, rejects oversized and negative frames through the stream error path, and grows the receive buffer geometrically.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you run a Node.js Thrift server that receives data over the framed or buffered transport.

Background info

thrift is vulnerable to Denial of Service (DoS) in versions 0.7.0 - 0.23.0.

How to fix this

Upgrade the thrift library to the patch version.