thrift is vulnerable to Denial of Service (DoS)
59
Medium Risk
The Node.js server transport receivers in the thrift package accumulate incoming bytes without enforcing a maximum message or frame size and without rejecting negative frame sizes. TFramedTransport.receiver reads an attacker-controlled 32-bit frame length and keeps concatenating the residual buffer on every packet, so a remote peer can force the server to buffer unbounded data and repeatedly recopy the growing buffer. This lets an unauthenticated client exhaust memory and CPU and take down a Node.js Thrift server. The fix applies a default receive limit consistent with the maxMessageSize/maxFrameSize used by other Thrift libraries, rejects oversized and negative frames through the stream error path, and grows the receive buffer geometrically.
You are affected if you are using a version that falls within the vulnerable range and you run a Node.js Thrift server that receives data over the framed or buffered transport.
thrift is vulnerable to Denial of Service (DoS) in versions 0.7.0 - 0.23.0.
Upgrade the thrift library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant