archive/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2025-08-15 13:48:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

doc: add constraints for mem leak to threat model

Browse source 
As discussed in https://github.com/nodejs-private/node-private/pull/719.

We should clarify what the criteria are to accept
memory leak as a vulnerability (potential DoS).

Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: https://github.com/nodejs/node/pull/58917
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit is contained in:
Rafael Gonzaga 2025-07-24 00:53:28 -03:00 committed by GitHub
parent 58b5dc3eb2
commit 9188563304
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 15 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

15
SECURITY.md
View file

@ -109,6 +109,21 @@ does not trust is considered a vulnerability:
the correct use of Node.js APIs.
* The unavailability of the runtime, including the unbounded degradation of its
performance.
* Memory leaks qualify as vulnerabilities when all of the following criteria are met:
* The API is being correctly used.
* The API doesn't have a warning against its usage in a production environment.
* The API is public and documented.
* The API is on stable (2.0) status.
* The memory leak is significant, causing a DoS fast or in a user-uncontrolled space (for instance, on HTTP parsing).
* The memory leak is directly exploitable by an untrusted source without requiring application mistakes.
* The leak cannot be reasonably mitigated through standard operational practices (like process recycling).
* The leak occurs deterministically under normal usage patterns rather than edge cases.
* The leak occurs at a rate that would cause practical resource exhaustion within a practical timeframe under
typical workloads.
* The attack demonstrates [asymmetric resource consumption](https://cwe.mitre.org/data/definitions/405.html),
where the attacker expends significantly fewer resources than what's required by the server to process the
attack. Attacks requiring comparable resources on the attacker's side (which can be mitigated through common
practices like rate limiting) may not qualify.
If Node.js loads configuration files or runs code by default (without a
specific request from the user), and this is not documented, it is considered a