From 9188563304e283b0e8a3f1a1bdaf6a11b85f0def Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Thu, 24 Jul 2025 00:53:28 -0300 Subject: [PATCH] doc: add constraints for mem leak to threat model MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As discussed in https://github.com/nodejs-private/node-private/pull/719. We should clarify what the criteria are to accept memory leak as a vulnerability (potential DoS). Signed-off-by: RafaelGSS PR-URL: https://github.com/nodejs/node/pull/58917 Reviewed-By: Ulises Gascón Reviewed-By: Marco Ippolito Reviewed-By: Trivikram Kamat Reviewed-By: James M Snell --- SECURITY.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 9650e812914..89a592d743b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -109,6 +109,21 @@ does not trust is considered a vulnerability: the correct use of Node.js APIs. * The unavailability of the runtime, including the unbounded degradation of its performance. +* Memory leaks qualify as vulnerabilities when all of the following criteria are met: + * The API is being correctly used. + * The API doesn't have a warning against its usage in a production environment. + * The API is public and documented. + * The API is on stable (2.0) status. + * The memory leak is significant, causing a DoS fast or in a user-uncontrolled space (for instance, on HTTP parsing). + * The memory leak is directly exploitable by an untrusted source without requiring application mistakes. + * The leak cannot be reasonably mitigated through standard operational practices (like process recycling). + * The leak occurs deterministically under normal usage patterns rather than edge cases. + * The leak occurs at a rate that would cause practical resource exhaustion within a practical timeframe under + typical workloads. + * The attack demonstrates [asymmetric resource consumption](https://cwe.mitre.org/data/definitions/405.html), + where the attacker expends significantly fewer resources than what's required by the server to process the + attack. Attacks requiring comparable resources on the attacker's side (which can be mitigated through common + practices like rate limiting) may not qualify. If Node.js loads configuration files or runs code by default (without a specific request from the user), and this is not documented, it is considered a