@hocuspocus/server is vulnerable to Uncontrolled Resource Consumption
59
Medium Risk
The server buffers inbound WebSocket frames from a connection in memory while its documents are still authenticating, using a per-connection queue keyed by document name. Before this fix there was no cap on how much an unauthenticated client could buffer: it could flood frames, fan out across many distinct document names, and keep the socket alive past the idle timeout because inbound traffic refreshed the deadline. A remote unauthenticated attacker could exploit this to grow server memory without bound and exhaust the host, taking down the collaboration backend for all users. The fix adds per-connection caps on buffered bytes, buffered messages, and pending unauthenticated documents, enforces an absolute pre-auth deadline that inbound traffic cannot refresh, and releases buffered queue and hook state when a connection is closed or terminated.
You are affected if you are using a version that falls within the vulnerable range and your Hocuspocus server accepts WebSocket connections from untrusted clients.
@hocuspocus/server is vulnerable to Uncontrolled Resource Consumption in versions 1.0.0 - 4.2.0.
Upgrade the @hocuspocus/server library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant