CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
10.3%
A potential solution is attached as 0001-improve-bytesMatch.patch
Summary:
I was investigating for some low hanging fruits regarding performance bottlenecks in undici, when I found this potential security issue in undici, and thus in nodejs. First I wrote a benchmark for bytesMatch and saw the following result:
aras@aras-Lenovo-Legion-5-17ARH05H:~/workspace/undici$ node benchmarks/bytesMatch.mjs
cpu: AMD Ryzen 7 4800H with Radeon Graphics
runtime: node v21.6.2 (x64-linux)
benchmark time (avg) (min … max) p75 p99 p999
------------------------------------------------------------------------------- -----------------------------
bytesMatch valid sha256 and base64 2'292 ns/iter (2'009 ns … 9'452 ns) 2'209 ns 7'709 ns 9'452 ns
bytesMatch invalid sha256 and base64 2'153 ns/iter (2'013 ns … 2'306 ns) 2'209 ns 2'275 ns 2'306 ns
bytesMatch valid sha256 and base64url 243 ns/iter (205 ns … 318 ns) 261 ns 286 ns 301 ns
bytesMatch invalid sha256 and base64url 245 ns/iter (203 ns … 400 ns) 264 ns 320 ns 390 ns
See attached 0001-add-benchmark.patch
So for some reason base64url was significantly faster than base64, even in the invalid case. So further investigations resulted in the finding that parseHashWithOptions in the underlying undici library is not matching base64url encoded hashes. Worse it is not matching any algorithms provided with invalid hashes. E.g. sha256--
wont result in detecting that a sha256 hash was provided, thus skipping totally the whole SRI check.
See attached 0001-add-test.patch. It contains unit tests, which you can run against main branch.
Resources which should be checked via SRI Logic are loaded nonetheless.
Resources which should be checked via SRI Logic are loaded nonetheless.