Intel

AIKIDO-2026-888685

@hocuspocus/server is vulnerable to Uncontrolled Resource Consumption

Uncontrolled Resource Consumption Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 26, 2026

59

Medium Risk

This Affects:

JS@hocuspocus/server
1.0.0 - 4.2.0
Fixed in 4.3.0
Are you affected? Scan for Free

TL;DR

The server buffers inbound WebSocket frames from a connection in memory while its documents are still authenticating, using a per-connection queue keyed by document name. Before this fix there was no cap on how much an unauthenticated client could buffer: it could flood frames, fan out across many distinct document names, and keep the socket alive past the idle timeout because inbound traffic refreshed the deadline. A remote unauthenticated attacker could exploit this to grow server memory without bound and exhaust the host, taking down the collaboration backend for all users. The fix adds per-connection caps on buffered bytes, buffered messages, and pending unauthenticated documents, enforces an absolute pre-auth deadline that inbound traffic cannot refresh, and releases buffered queue and hook state when a connection is closed or terminated.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your Hocuspocus server accepts WebSocket connections from untrusted clients.

Background info

@hocuspocus/server is vulnerable to Uncontrolled Resource Consumption in versions 1.0.0 - 4.2.0.

How to fix this

Upgrade the @hocuspocus/server library to the patch version.