CVE-2020-27543
📋 TL;DR
CVE-2020-27543 is a denial-of-service vulnerability in the restify-paginate Node.js package where omitting the HTTP Host header causes an uncaught exception, crashing the web service. This affects any Node.js application using restify-paginate version 0.0.5. The vulnerability allows remote attackers to disrupt service availability without authentication.
💻 Affected Systems
- restify-paginate
📦 What is this software?
Restify Paginate by Restify Paginate Project
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage for all users of the affected web application, requiring manual restart of the Node.js process.
Likely Case
Intermittent service disruptions when attackers send crafted requests without Host headers, causing application crashes.
If Mitigated
Minimal impact if proper error handling is implemented or the application is behind a reverse proxy that validates headers.
🎯 Exploit Status
Exploitation requires only sending HTTP requests without Host headers, which is trivial to automate. Public proof-of-concept code is available in GitHub repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 0.0.6 and later
Vendor Advisory: https://github.com/paulvarache/restify-paginate/
Restart Required: Yes
Instructions:
1. Update package.json to specify restify-paginate version ^0.0.6 or higher. 2. Run 'npm update restify-paginate' or 'npm install restify-paginate@latest'. 3. Restart the Node.js application.
🔧 Temporary Workarounds
Implement custom error handling middleware
allAdd middleware to catch uncaught exceptions from missing Host headers before they crash the application.
// In your Restify server setup:
server.use(function(req, res, next) {
try {
if (!req.headers.host) {
res.send(400, 'Host header required');
return;
}
next();
} catch(err) {
res.send(500, 'Internal server error');
}
});
Use reverse proxy with header validation
linuxConfigure a reverse proxy (nginx, Apache, etc.) to reject requests without Host headers before they reach the Node.js application.
# nginx configuration example:
server {
listen 80;
if ($http_host = '') {
return 400;
}
# ... rest of configuration
}
🧯 If You Can't Patch
- Deploy web application firewall (WAF) rules to block HTTP requests without Host headers
- Implement rate limiting to reduce impact of repeated attack attempts
🔍 How to Verify
Check if Vulnerable:
Check package.json or node_modules/restify-paginate/package.json for version 0.0.5. Also test by sending HTTP request without Host header to see if application crashes.Check Version:
npm list restify-paginate | grep restify-paginateVerify Fix Applied:
After updating, verify restify-paginate version is 0.0.6 or higher using 'npm list restify-paginate'. Test with requests without Host headers - application should return error response instead of crashing.📡 Detection & Monitoring
Log Indicators:
- Uncaught exception logs mentioning 'TypeError' or 'Cannot read property' related to Host header
- Application crash/restart logs without normal shutdown sequence
- Increased error rate in application logs
Network Indicators:
- HTTP requests without Host headers to Restify endpoints
- Sudden spikes in HTTP 500 errors from the application
SIEM Query:
source="application.logs" AND ("uncaught exception" OR "TypeError") AND "Host"🔗 References
- https://github.com/paulvarache/restify-paginate/
- https://github.com/secoats/cve/tree/master/CVE-2020-27543_dos_restify-paginate
- https://security.netapp.com/advisory/ntap-20210401-0002/
- https://www.npmjs.com/package/restify-paginate
- https://github.com/paulvarache/restify-paginate/
- https://github.com/secoats/cve/tree/master/CVE-2020-27543_dos_restify-paginate
- https://security.netapp.com/advisory/ntap-20210401-0002/
- https://www.npmjs.com/package/restify-paginate
